//
// ========================================================================
// Copyright (c) 1995-2020 Mort Bay Consulting Pty Ltd and others.
//
// This program and the accompanying materials are made available under
// the terms of the Eclipse Public License 2.0 which is available at
// https://www.eclipse.org/legal/epl-2.0
//
// This Source Code may also be made available under the following
// Secondary Licenses when the conditions for such availability set
// forth in the Eclipse Public License, v. 2.0 are satisfied:
// the Apache License v2.0 which is available at
// https://www.apache.org/licenses/LICENSE-2.0
//
// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
// ========================================================================
//

package org.eclipse.jetty.server.handler;

import java.io.Closeable;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.ArrayDeque;
import java.util.Deque;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ExecutionException;

import jakarta.servlet.AsyncContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HostPortHttpField;
import org.eclipse.jetty.http.HttpField;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.QuotedCSV;
import org.eclipse.jetty.server.ForwardedRequestCustomizer;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.util.IncludeExcludeSet;
import org.eclipse.jetty.util.InetAddressSet;
import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
import org.eclipse.jetty.util.annotation.ManagedOperation;
import org.eclipse.jetty.util.annotation.Name;
import org.eclipse.jetty.util.thread.AutoLock;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Handler to limit the threads per IP address for DOS protection

The ThreadLimitHandler applies a limit to the number of Threads that can be used simultaneously per remote IP address.

The handler makes a determination of the remote IP separately to any that may be made by the ForwardedRequestCustomizer or similar:

  • This handler will use either only a single style of forwarded header. This is on the assumption that a trusted local proxy will produce only a single forwarded header and that any additional headers are likely from untrusted client side proxies.
  • If multiple instances of a forwarded header are provided, this handler will use the right-most instance, which will have been set from the trusted local proxy
Requests in excess of the limit will be asynchronously suspended until a thread is available.

This is a simpler alternative to DosFilter

/** * <p>Handler to limit the threads per IP address for DOS protection</p> * <p>The ThreadLimitHandler applies a limit to the number of Threads * that can be used simultaneously per remote IP address. * </p> * <p>The handler makes a determination of the remote IP separately to * any that may be made by the {@link ForwardedRequestCustomizer} or similar: * <ul> * <li>This handler will use either only a single style * of forwarded header. This is on the assumption that a trusted local proxy * will produce only a single forwarded header and that any additional * headers are likely from untrusted client side proxies.</li> * <li>If multiple instances of a forwarded header are provided, this * handler will use the right-most instance, which will have been set from * the trusted local proxy</li> * </ul> * Requests in excess of the limit will be asynchronously suspended until * a thread is available. * <p>This is a simpler alternative to DosFilter</p> */
public class ThreadLimitHandler extends HandlerWrapper { private static final Logger LOG = LoggerFactory.getLogger(ThreadLimitHandler.class); private static final String REMOTE = "o.e.j.s.h.TLH.REMOTE"; private static final String PERMIT = "o.e.j.s.h.TLH.PASS"; private final boolean _rfc7239; private final String _forwardedHeader; private final IncludeExcludeSet<String, InetAddress> _includeExcludeSet = new IncludeExcludeSet<>(InetAddressSet.class); private final ConcurrentMap<String, Remote> _remotes = new ConcurrentHashMap<>(); private volatile boolean _enabled; private int _threadLimit = 10; public ThreadLimitHandler() { this(null, false); } public ThreadLimitHandler(@Name("forwardedHeader") String forwardedHeader) { this(forwardedHeader, HttpHeader.FORWARDED.is(forwardedHeader)); } public ThreadLimitHandler(@Name("forwardedHeader") String forwardedHeader, @Name("rfc7239") boolean rfc7239) { super(); _rfc7239 = rfc7239; _forwardedHeader = forwardedHeader; _enabled = true; } @Override protected void doStart() throws Exception { super.doStart(); LOG.info(String.format("ThreadLimitHandler enable=%b limit=%d include=%s", _enabled, _threadLimit, _includeExcludeSet)); } @ManagedAttribute("true if this handler is enabled") public boolean isEnabled() { return _enabled; } public void setEnabled(boolean enabled) { _enabled = enabled; LOG.info(String.format("ThreadLimitHandler enable=%b limit=%d include=%s", _enabled, _threadLimit, _includeExcludeSet)); } @ManagedAttribute("The maximum threads that can be dispatched per remote IP") public int getThreadLimit() { return _threadLimit; } protected int getThreadLimit(String ip) { if (!_includeExcludeSet.isEmpty()) { try { if (!_includeExcludeSet.test(InetAddress.getByName(ip))) { LOG.debug("excluded {}", ip); return 0; } } catch (Exception e) { LOG.trace("IGNORED", e); } } return _threadLimit; } public void setThreadLimit(int threadLimit) { if (threadLimit <= 0) throw new IllegalArgumentException("limit must be >0"); _threadLimit = threadLimit; } @ManagedOperation("Include IP in thread limits") public void include(String inetAddressPattern) { _includeExcludeSet.include(inetAddressPattern); } @ManagedOperation("Exclude IP from thread limits") public void exclude(String inetAddressPattern) { _includeExcludeSet.exclude(inetAddressPattern); } @Override public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { // Allow ThreadLimit to be enabled dynamically without restarting server if (!_enabled) { // if disabled, handle normally super.handle(target, baseRequest, request, response); } else { // Get the remote address of the request Remote remote = getRemote(baseRequest); if (remote == null) { // if remote is not known, handle normally super.handle(target, baseRequest, request, response); } else { // Do we already have a future permit from a previous invocation? Closeable permit = (Closeable)baseRequest.getAttribute(PERMIT); try { if (permit != null) { // Yes, remove it from any future async cycles. baseRequest.removeAttribute(PERMIT); } else { // No, then lets try to acquire one CompletableFuture<Closeable> futurePermit = remote.acquire(); // Did we get a permit? if (futurePermit.isDone()) { // yes permit = futurePermit.get(); } else { if (LOG.isDebugEnabled()) LOG.debug("Threadlimited {} {}", remote, target); // No, lets asynchronously suspend the request AsyncContext async = baseRequest.startAsync(); // let's never timeout the async. If this is a DOS, then good to make them wait, if this is not // then give them maximum time to get a thread. async.setTimeout(0); // dispatch the request when we do eventually get a pass futurePermit.thenAccept(c -> { baseRequest.setAttribute(PERMIT, c); async.dispatch(); }); return; } } // Use the permit super.handle(target, baseRequest, request, response); } catch (InterruptedException | ExecutionException e) { throw new ServletException(e); } finally { if (permit != null) permit.close(); } } } } private Remote getRemote(Request baseRequest) { Remote remote = (Remote)baseRequest.getAttribute(REMOTE); if (remote != null) return remote; String ip = getRemoteIP(baseRequest); LOG.debug("ip={}", ip); if (ip == null) return null; int limit = getThreadLimit(ip); if (limit <= 0) return null; remote = _remotes.get(ip); if (remote == null) { Remote r = new Remote(ip, limit); remote = _remotes.putIfAbsent(ip, r); if (remote == null) remote = r; } baseRequest.setAttribute(REMOTE, remote); return remote; } protected String getRemoteIP(Request baseRequest) { // Do we have a forwarded header set? if (_forwardedHeader != null && !_forwardedHeader.isEmpty()) { // Yes, then try to get the remote IP from the header String remote = _rfc7239 ? getForwarded(baseRequest) : getXForwardedFor(baseRequest); if (remote != null && !remote.isEmpty()) return remote; } // If no remote IP from a header, determine it directly from the channel // Do not use the request methods, as they may have been lied to by the // RequestCustomizer! InetSocketAddress inetAddr = baseRequest.getHttpChannel().getRemoteAddress(); if (inetAddr != null && inetAddr.getAddress() != null) return inetAddr.getAddress().getHostAddress(); return null; } private String getForwarded(Request request) { // Get the right most Forwarded for value. // This is the value from the closest proxy and the only one that // can be trusted. RFC7239 rfc7239 = new RFC7239(); for (HttpField field : request.getHttpFields()) { if (_forwardedHeader.equalsIgnoreCase(field.getName())) rfc7239.addValue(field.getValue()); } if (rfc7239.getFor() != null) return new HostPortHttpField(rfc7239.getFor()).getHost(); return null; } private String getXForwardedFor(Request request) { // Get the right most XForwarded-For for value. // This is the value from the closest proxy and the only one that // can be trusted. String forwardedFor = null; for (HttpField field : request.getHttpFields()) { if (_forwardedHeader.equalsIgnoreCase(field.getName())) forwardedFor = field.getValue(); } if (forwardedFor == null || forwardedFor.isEmpty()) return null; int comma = forwardedFor.lastIndexOf(','); return (comma >= 0) ? forwardedFor.substring(comma + 1).trim() : forwardedFor; } private static final class Remote implements Closeable { private final String _ip; private final int _limit; private final AutoLock _lock = new AutoLock(); private int _permits; private Deque<CompletableFuture<Closeable>> _queue = new ArrayDeque<>(); private final CompletableFuture<Closeable> _permitted = CompletableFuture.completedFuture(this); public Remote(String ip, int limit) { _ip = ip; _limit = limit; } public CompletableFuture<Closeable> acquire() { try (AutoLock lock = _lock.lock()) { // Do we have available passes? if (_permits < _limit) { // Yes - increment the allocated passes _permits++; // return the already completed future return _permitted; // TODO is it OK to share/reuse this? } // No pass available, so queue a new future CompletableFuture<Closeable> pass = new CompletableFuture<>(); _queue.addLast(pass); return pass; } } @Override public void close() { try (AutoLock lock = _lock.lock()) { // reduce the allocated passes _permits--; while (true) { // Are there any future passes waiting? CompletableFuture<Closeable> permit = _queue.pollFirst(); // No - we are done if (permit == null) break; // Yes - if we can complete them, we are done if (permit.complete(this)) { _permits++; break; } // Somebody else must have completed/failed that future pass, // so let's try for another. } } } @Override public String toString() { try (AutoLock lock = _lock.lock()) { return String.format("R[ip=%s,p=%d,l=%d,q=%d]", _ip, _permits, _limit, _queue.size()); } } } private static final class RFC7239 extends QuotedCSV { String _for; private RFC7239() { super(false); } String getFor() { return _for; } @Override protected void parsedParam(StringBuffer buffer, int valueLength, int paramName, int paramValue) { if (valueLength == 0 && paramValue > paramName) { String name = StringUtil.asciiToLowerCase(buffer.substring(paramName, paramValue - 1)); if ("for".equalsIgnoreCase(name)) { String value = buffer.substring(paramValue); // if unknown, clear any leftward values if ("unknown".equalsIgnoreCase(value)) _for = null; // Otherwise accept IP or token(starting with '_') as remote keys else _for = value; } } } } }