configurator: add client_max_header_size directive

Lowering this will lower worst-case memory usage and mitigate some
denial-of-service attacks.  This should be larger than
client_header_buffer_size.

The default value is carried over from Mongrel and Unicorn.

2 files changed, 17 insertions, 0 deletions

diff --git a/lib/rainbows/configurator.rb b/lib/rainbows/configurator.rb
index 1b93fc7..433158b 100644
--- a/lib/rainbows/configurator.rb
+++ b/lib/rainbows/configurator.rb
@@ -27,6 +27,7 @@ module Rainbows::Configurator
     :keepalive_requests => 100,
     :client_max_body_size => 1024 * 1024,
     :client_header_buffer_size => 1024,
+    :client_max_header_size => 112 * 1024,
     :copy_stream => IO.respond_to?(:copy_stream) ? IO : false,
   })
 
@@ -147,6 +148,18 @@ module Rainbows::Configurator
     set[:client_max_body_size] = bytes
   end
 
+  # Limits the maximum size of a request header for all requests.
+  #
+  # Default: 112 kilobytes (114688 bytes)
+  #
+  # Lowering this will lower worst-case memory usage and mitigate some
+  # denial-of-service attacks.  This should be larger than
+  # client_header_buffer_size.
+  def client_max_header_size(bytes)
+    check!
+    set_int(:client_max_header_size, bytes, 8)
+  end
+
   # This governs the amount of memory allocated for an individual read(2) or
   # recv(2) system call when reading headers.  Applications that make minimal
   # use of cookies should not increase this from the default.
diff --git a/lib/rainbows/http_server.rb b/lib/rainbows/http_server.rb
index be02630..746d534 100644
--- a/lib/rainbows/http_server.rb
+++ b/lib/rainbows/http_server.rb
@@ -97,4 +97,8 @@ class Rainbows::HttpServer < Unicorn::HttpServer
   def keepalive_requests
     Unicorn::HttpRequest.keepalive_requests
   end
+
+  def client_max_header_size=(bytes)
+    Unicorn::HttpParser.max_header_len = bytes
+  end
 end