From 61ea6ca5c61bcfdec2755a1070ca6758d5958426 Mon Sep 17 00:00:00 2001 From: WenMing Date: Mon, 15 Jul 2019 12:50:49 +0800 Subject: [PATCH 1/2] feature: added configure for anti-ReDoS. --- bin/apisix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/bin/apisix b/bin/apisix index e1dda5924188..66e8af01dae4 100755 --- a/bin/apisix +++ b/bin/apisix @@ -101,6 +101,9 @@ http { lua_http10_buffering off; + lua_regex_match_limit 100000; + lua_regex_cache_max_entries 8192; + log_format main '$remote_addr - $remote_user [$time_local] $http_host "$request" $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent" $upstream_addr $upstream_status $upstream_response_time'; access_log logs/access.log main buffer=32768 flush=3; From 45d058dbe17be9c4a8abc299f23e443bfd0d7dc4 Mon Sep 17 00:00:00 2001 From: WenMing Date: Mon, 15 Jul 2019 13:08:21 +0800 Subject: [PATCH 2/2] doc: added doc for anti-redos. This configuration can avoid catastrophic backtracking of regular expressions, but to solve this problem thoroughly, we need to replace the regular engine, such as RE2. --- README.md | 1 + README_CN.md | 1 + 2 files changed, 2 insertions(+) diff --git a/README.md b/README.md index f72fc3e6d54d..ec59f2ab18d9 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,7 @@ For more detailed information, see the [White Paper](https://www.iresty.com/down - **Scalability** - **High performance** - **Custom plugins** +- **Anti-ReDoS(Regular expression Denial of Service)** - **Health Checks**: TODO. - **Caching**: TODO. - **Dashboard**: TODO. diff --git a/README_CN.md b/README_CN.md index da796ec71308..5c1493a33e72 100644 --- a/README_CN.md +++ b/README_CN.md @@ -42,6 +42,7 @@ APISIX 通过插件机制,提供动态负载平衡、身份验证、限流限 - **可扩展** - **高性能** - **自定义插件** +- **防御 ReDoS(正则表达式拒绝服务)** - **健康检查**: TODO - **缓存**: TODO. - **管理控制台**: TODO.