# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1716499201 -10800
# Node ID 199dc0d6b05be814b5c811876c20af58cd361fea
# Parent  46ecad404a296042c0088e699f275a92758e5ab9
Added max_headers directive.

The directive limits the number of request headers accepted from clients.
While the total amount of headers is believed to be sufficiently limited
by the existing buffer size limits (client_header_buffer_size and
large_client_header_buffers), the additional limit on the number of headers
might be beneficial to better protect backend servers.

Requested by Maksim Yevmenkin.

diff -r 46ecad404a29 -r 199dc0d6b05b src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c	Wed May 15 10:06:00 2024 +0300
+++ b/src/http/ngx_http_core_module.c	Fri May 24 00:20:01 2024 +0300
@@ -252,6 +252,13 @@
       offsetof(ngx_http_core_srv_conf_t, large_client_header_buffers),
       NULL },
 
+    { ngx_string("max_headers"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_num_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_core_srv_conf_t, max_headers),
+      NULL },
+
     { ngx_string("ignore_invalid_headers"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
       ngx_conf_set_flag_slot,
@@ -3463,6 +3470,7 @@
     cscf->request_pool_size = NGX_CONF_UNSET_SIZE;
     cscf->client_header_timeout = NGX_CONF_UNSET_MSEC;
     cscf->client_header_buffer_size = NGX_CONF_UNSET_SIZE;
+    cscf->max_headers = NGX_CONF_UNSET_UINT;
     cscf->ignore_invalid_headers = NGX_CONF_UNSET;
     cscf->merge_slashes = NGX_CONF_UNSET;
     cscf->underscores_in_headers = NGX_CONF_UNSET;
@@ -3504,6 +3512,8 @@
         return NGX_CONF_ERROR;
     }
 
+    ngx_conf_merge_uint_value(conf->max_headers, prev->max_headers, 1000);
+
     ngx_conf_merge_value(conf->ignore_invalid_headers,
                               prev->ignore_invalid_headers, 1);
 
diff -r 46ecad404a29 -r 199dc0d6b05b src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h	Wed May 15 10:06:00 2024 +0300
+++ b/src/http/ngx_http_core_module.h	Fri May 24 00:20:01 2024 +0300
@@ -198,6 +198,8 @@
 
     ngx_msec_t                  client_header_timeout;
 
+    ngx_uint_t                  max_headers;
+
     ngx_flag_t                  ignore_invalid_headers;
     ngx_flag_t                  merge_slashes;
     ngx_flag_t                  underscores_in_headers;
diff -r 46ecad404a29 -r 199dc0d6b05b src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c	Wed May 15 10:06:00 2024 +0300
+++ b/src/http/ngx_http_request.c	Fri May 24 00:20:01 2024 +0300
@@ -1466,6 +1466,15 @@
 
             /* a header line has been parsed successfully */
 
+            if (r->headers_in.count++ >= cscf->max_headers) {
+                r->lingering_close = 1;
+                ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                              "client sent too many header lines");
+                ngx_http_finalize_request(r,
+                                          NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+                break;
+            }
+
             h = ngx_list_push(&r->headers_in.headers);
             if (h == NULL) {
                 ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
diff -r 46ecad404a29 -r 199dc0d6b05b src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h	Wed May 15 10:06:00 2024 +0300
+++ b/src/http/ngx_http_request.h	Fri May 24 00:20:01 2024 +0300
@@ -182,6 +182,7 @@
 
 typedef struct {
     ngx_list_t                        headers;
+    ngx_uint_t                        count;
 
     ngx_table_elt_t                  *host;
     ngx_table_elt_t                  *connection;
diff -r 46ecad404a29 -r 199dc0d6b05b src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Wed May 15 10:06:00 2024 +0300
+++ b/src/http/v2/ngx_http_v2.c	Fri May 24 00:20:01 2024 +0300
@@ -1814,6 +1814,15 @@
         }
 
     } else {
+        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+        if (r->headers_in.count++ >= cscf->max_headers) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent too many header lines");
+            ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+            goto error;
+        }
+
         h = ngx_list_push(&r->headers_in.headers);
         if (h == NULL) {
             return ngx_http_v2_connection_error(h2c,
diff -r 46ecad404a29 -r 199dc0d6b05b src/http/v3/ngx_http_v3_request.c
--- a/src/http/v3/ngx_http_v3_request.c	Wed May 15 10:06:00 2024 +0300
+++ b/src/http/v3/ngx_http_v3_request.c	Fri May 24 00:20:01 2024 +0300
@@ -657,6 +657,15 @@
         }
 
     } else {
+        cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+
+        if (r->headers_in.count++ >= cscf->max_headers) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent too many header lines");
+            ngx_http_finalize_request(r, NGX_HTTP_REQUEST_HEADER_TOO_LARGE);
+            return NGX_ERROR;
+        }
+
         h = ngx_list_push(&r->headers_in.headers);
         if (h == NULL) {
             ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);