mirror of
https://github.com/coredns/coredns.git
synced 2026-01-01 22:41:23 -05:00
6dca5b26d1
Replace http.Serve() with http.Server{} configured with timeouts to
address G114 gosec findings (HTTP server without timeouts). This
prevents potential slowloris attacks and resource exhaustion.
Changes:
- Add ReadTimeout, WriteTimeout, IdleTimeout (5s each) to HTTP servers
- Use srv.Shutdown(ctx) for graceful shutdown instead of ln.Close()
- Follow existing pattern from plugin/metrics
Fixes part of #7793
Signed-off-by: Azeez Syed <syedazeez337@gmail.com>
98 lines
2.0 KiB
Go
98 lines
2.0 KiB
Go
// Package ready is used to signal readiness of the CoreDNS process. Once all
|
|
// plugins have called in the plugin will signal readiness by returning a 200
|
|
// OK on the HTTP handler (on port 8181). If not ready yet, the handler will
|
|
// return a 503.
|
|
package ready
|
|
|
|
import (
|
|
"context"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"sync"
|
|
"time"
|
|
|
|
clog "github.com/coredns/coredns/plugin/pkg/log"
|
|
"github.com/coredns/coredns/plugin/pkg/reuseport"
|
|
"github.com/coredns/coredns/plugin/pkg/uniq"
|
|
)
|
|
|
|
var (
|
|
log = clog.NewWithPlugin("ready")
|
|
plugins = &list{}
|
|
uniqAddr = uniq.New()
|
|
)
|
|
|
|
type ready struct {
|
|
Addr string
|
|
|
|
sync.RWMutex
|
|
ln net.Listener
|
|
srv *http.Server
|
|
done bool
|
|
mux *http.ServeMux
|
|
}
|
|
|
|
const shutdownTimeout = 5 * time.Second
|
|
|
|
func (rd *ready) onStartup() error {
|
|
ln, err := reuseport.Listen("tcp", rd.Addr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
rd.Lock()
|
|
rd.ln = ln
|
|
rd.mux = http.NewServeMux()
|
|
rd.done = true
|
|
rd.Unlock()
|
|
|
|
rd.mux.HandleFunc("/ready", func(w http.ResponseWriter, _ *http.Request) {
|
|
rd.Lock()
|
|
defer rd.Unlock()
|
|
if !rd.done {
|
|
w.WriteHeader(http.StatusServiceUnavailable)
|
|
io.WriteString(w, "Shutting down")
|
|
return
|
|
}
|
|
ready, notReadyPlugins := plugins.Ready()
|
|
if ready {
|
|
w.WriteHeader(http.StatusOK)
|
|
io.WriteString(w, http.StatusText(http.StatusOK))
|
|
return
|
|
}
|
|
log.Infof("Plugins not ready: %q", notReadyPlugins)
|
|
w.WriteHeader(http.StatusServiceUnavailable)
|
|
io.WriteString(w, notReadyPlugins)
|
|
})
|
|
|
|
rd.srv = &http.Server{
|
|
Handler: rd.mux,
|
|
ReadTimeout: 5 * time.Second,
|
|
WriteTimeout: 5 * time.Second,
|
|
IdleTimeout: 5 * time.Second,
|
|
}
|
|
|
|
go func() { rd.srv.Serve(rd.ln) }()
|
|
|
|
return nil
|
|
}
|
|
|
|
func (rd *ready) onFinalShutdown() error {
|
|
rd.Lock()
|
|
defer rd.Unlock()
|
|
if !rd.done {
|
|
return nil
|
|
}
|
|
|
|
uniqAddr.Unset(rd.Addr)
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout)
|
|
defer cancel()
|
|
if err := rd.srv.Shutdown(ctx); err != nil {
|
|
log.Infof("Failed to stop ready http server: %s", err)
|
|
}
|
|
rd.done = false
|
|
return nil
|
|
}
|