Add connection backpressure and timeouts

[gjcairo]

This PR adds connection-level backpressure and timeout support to the server.

A new optional maxConnections field on NIOHTTPServerConfiguration lets users cap the number of concurrent connections: when the limit is reached, the server stops accepting new connections by gating NIO read events on the server channel until existing connections close.

Alongside this, a new ConnectionTimeouts configuration provides idle, read-header, and-read body timeouts to evict slow or misbehaving connections, to mitigate attacks against the connection limit. Timeouts are enabled by default with reasonable values (60s/30s/60s respectively); the connection limit is opt-in.

Both features work across HTTP/1.1 and HTTP/2, with timeout handlers split appropriately between connection and stream levels for HTTP/2.

[aryan-25]

"Set to null to disable" isn't true; each of these options will get nil-coalesced to the default value if the key isn't specified in the config.

[gjcairo]

I changed the docs but also removed the coalescing from the SwiftConfiguration initialiser - I think it's clearer that if you set things to nil then you don't want anything.

[aryan-25]

Looks like these three if blocks are identical to the method bodies below. We can probably call into those methods here.

[aryan-25]

Should we allow both the read and write idle timeouts to be configurable?

[aryan-25]

We can use NIOHTTPServerTests.echoResponse here.

[aryan-25]

We can use NIOHTTPServerTests.validateResponse here.

[aryan-25]

Is this channel handler guaranteed to only prevent the call to read() once?

Because channel.read() is only called once upon close (line 48).

[gjcairo]

I might be misunderstanding your point, but the point of this handler is not to prevent the call to read just once - it's to make sure we're always below the set limit. That might mean calling read multiple times whenever we fall below the threshold, and withhold forwards of reads when we're above it.

[fabianfett]

why do we need to hop here? we already should be on the correct EL.

[fabianfett]

I don't think we should read here automatically. I think we should only read here, if we have seen a read call before that we didn't immediately forward. Other channels in the pipeline might want to stop backpressure for their own reasons. This auto read call assumes we are the only channel in the pipeline.

[gjcairo]

Good point, will make this change

[fabianfett]

While it is totally fair to implement this in additional ChannelHanders, I strongly advise against it for performance reasons. We should really try to reduce pipeline overhead and pipeline modifications.

[gjcairo]

I've consolidated these into two handlers instead. Is that what you had in mind?

[fabianfett]

the full body? or is this between body part? please make this more explicit.

[fabianfett]

is this use-full? this means that this has to account for the longest possible request. I think something like the time between body parts is more appropriate?

[gjcairo]

That's a fair question. Go's http package only has a single timeout from connection establishment till connection end (so, the time it takes to read everything, including headers and request body).

I think having a timeout only between body parts could open the door to attacks where a client opens a bunch of connections and slowly trickles tiny bits of data just before the timeout fires to keep the connection alive.

We could have both, but we already have the idle timeout which keeps track of all reads or writes, so it's somewhat covered. I suppose we could remove the idle timeout and instead add timeouts for the time between reads and a separate one for time between writes if we want more granularity (while also keeping this readBody timeout). What do you think?

[fabianfett]

please call out, that this is only used after the first request. before the first request, it is readHeader.

[gjcairo]

This timeout runs from connection establishment and is reset every time something is read or written, it's independent of the readHeader timeout.

[fabianfett]

are we sure we want to have this initializer? it feels like we would need to extend that, whenever a new property is added? I think having the init with just first three is more appropriate. All others can be changed via properties, if needed.

[fabianfett]

just as a drive by notice: I think we should also support, h/2 over plaintext, shouldn't we?

[gjcairo]

Yeah we're tracking that work.

[fabianfett]

we 1000% should combine those two handlers into just one. We should try to reduce the total number of ChannelHandlers as much as possible.

[gjcairo]

I did it this way because for H2, we only want the idle handler in the connection channel, and the read handler in the stream channel, and merging them made it more confusing to read IMO as it would mean passing nil timeouts depending on which channel we're adding the handler to. I understand merging them would improve the performance of H1 requests though since we'd be adding a single handler instead of 2. I can make the change if we want to sacrifice some readability for performance in that case though.