Bound incoming request and add postgres service#76
Bound incoming request and add postgres service#76enigbe wants to merge 3 commits intolightningdevkit:mainfrom
Conversation
|
👋 Thanks for assigning @tankyleo as a reviewer! |
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
4bfb403 to
a163ae7
Compare
rust/server/src/vss_service.rs
Outdated
| use std::pin::Pin; | ||
| use std::sync::Arc; | ||
|
|
||
| const MAXIMUM_REQUEST_BODY_SIZE: u16 = 65_535; |
There was a problem hiding this comment.
This seems very conservative, given that monitors could get quite large. Given that the VSS service is actually a storage service, it also might make sense to make this configurable (in contrast to lightningdevkit/ldk-server#80, but even there we set the limit to 10MB).
There was a problem hiding this comment.
As mentioned elsewhere: I guess a static upper bound is a good first step, but if we're really concerned about DoS we might need some dynamic rate limiting on a per-IP basis. Although then the question becomes how much of that should be considered the concern of the VSS service itself, and how much we'd just expect users to slap a load balancer/Cloudflare in front of the service to handle that for them
There was a problem hiding this comment.
I've made the configuration changes suggested here, capping at 20 MB for the maximum size.
There was a problem hiding this comment.
No, as mentioned elsewhere, individual values might be quite a bit larger than 10 or 20MB. I think something along the lines of 100MB would be a more reasonable maximum, though per request it raises the question of how much a DoS protection this actually is.
There was a problem hiding this comment.
I've updated the max to 1GB per Matt's recommendation. We get basic protection with this but I could spent some time on this and propose a coherent strategy.
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
5d391cc to
fbdd957
Compare
|
🔔 1st Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 2nd Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 3rd Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 4th Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 5th Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 6th Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 7th Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 8th Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 9th Reminder Hey @tankyleo! This PR has been waiting for your review. |
tnull
left a comment
tnull
left a comment
There was a problem hiding this comment.
Can we also add some test coverage to ensure the database / backends actually support the configured maximum values, i.e., that we're not otherwise limited somehow?
rust/server/src/vss_service.rs
Outdated
| use std::pin::Pin; | ||
| use std::sync::Arc; | ||
|
|
||
| const MAXIMUM_REQUEST_BODY_SIZE: u16 = 65_535; |
There was a problem hiding this comment.
No, as mentioned elsewhere, individual values might be quite a bit larger than 10 or 20MB. I think something along the lines of 100MB would be a more reasonable maximum, though per request it raises the question of how much a DoS protection this actually is.
|
🔔 10th Reminder Hey @tankyleo! This PR has been waiting for your review. |
|
🔔 11th Reminder Hey @tankyleo! This PR has been waiting for your review. |
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
2 times, most recently
from
97b6b25 to
93faf38
Compare
|
Thanks for the review @tnull and @TheBlueMatt. I have updated the maximum request body size and added a test to check that our backend(s) support the configured value. It's ready for another look when you have the time. |
|
🔔 12th Reminder Hey @tankyleo! This PR has been waiting for your review. |
tnull
left a comment
tnull
left a comment
There was a problem hiding this comment.
Generally looks good, mod some comments.
As noted above already, I do wonder how much we're gaining at all we we're limiting to 1GB per request. In any case, probably better than nothing. So generally concept ACK from my side, but I'll leave it to @tankyleo to decide.
|
I mean at least it avoids someone being able to OOM us by just sending us trash 🤷♂️ Of course VSS exposed directly would probably still be OOM'able with a few parallel requests, but hopefully a decent frontend proxy can limit the impact by buffering the requests first. |
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
2 times, most recently
from
15417ec to
7121dcc
Compare
|
🔔 13th Reminder Hey @tankyleo! This PR has been waiting for your review. |
tankyleo
left a comment
tankyleo
left a comment
There was a problem hiding this comment.
Thank your for the PR sorry for the delay on my part, a few bits, looking good !
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
7121dcc to
f061dc1
Compare
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
f061dc1 to
8a49df9
Compare
|
Hi @tankyleo |
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
2 times, most recently
from
564f34a to
5d0d841
Compare
tankyleo
left a comment
tankyleo
left a comment
There was a problem hiding this comment.
Thanks a few more nits below, feel free to squash the fixups
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
5d0d841 to
04a9213
Compare
|
Hi @tankyleo, |
tankyleo
left a comment
tankyleo
left a comment
There was a problem hiding this comment.
LGTM two nits, good to consolidate everything into two commits, one for the docker file, and one for the max_request_body_size feature.
As with the other PR, please remove the prefixes, and capitalize the first word of the commit message.
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
04a9213 to
e0ae2f9
Compare
enigbe
left a comment
enigbe
left a comment
There was a problem hiding this comment.
I've addressed the last nits. When you approve I'll squash the remaining fixup commit.
LGTM thank you ! Would you mind consolidating the max request body size feature in a single commit ? I would prefer one commit for the docker service, and one for the max request body size thanks. |
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
e0ae2f9 to
c16f96c
Compare
I've consolidated the commits as requested. |
Add VssServiceConfig to make the maximum request body size configurable through the server configuration file, with a hard limit of 1GB. Additionally, add test coverage for 1GB maximum supported value size and verifies that storage backends can handle the configured maximum value size.
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
c16f96c to
2963c8d
Compare
enigbe
changed the title
tankyleo
left a comment
tankyleo
left a comment
There was a problem hiding this comment.
Thank you for the ping, appreciate your patience I am now back to focusing on VSS. A quick comment for now, will do a more comprehensive review tomorrow
rust/server/src/util/config.rs
Outdated
| let bind_address_env = read_env(BIND_ADDR_VAR)?; | ||
| let (bind_address_config, max_request_body_size_config) = match server_config { | ||
| Some(c) => (c.bind_address, c.max_request_body_size), | ||
| None => (None, None), | ||
| }; | ||
|
|
||
| let bind_address_env = read_env(BIND_ADDR_VAR)? | ||
| .map(|addr| { | ||
| addr.parse().map_err(|e| { | ||
| format!("Unable to parse the bind address environment variable: {}", e) | ||
| }) | ||
| }) | ||
| .transpose()?; |
There was a problem hiding this comment.
Can you double check this section ? Looks like the rebase reverted some code to how it was before. We don't need to parse BIND_ADDR_VAR into an Option<String>, we can use the original let bind_address_env = read_env(BIND_ADDR_VAR)?; thank you
rust/impls/src/postgres_store.rs
Outdated
|
|
||
| // Construct entry that's for a field that's the maximum size of a non-"large_object" object | ||
| let large_value = vec![0u8; MAXIMUM_SUPPORTED_VALUE_SIZE - PROTOCOL_OVERHEAD_MARGIN]; | ||
| let kv = KeyValue { key: "k1".into(), version: 0, value: Bytes::from(large_value) }; |
There was a problem hiding this comment.
We'll need to clone large_value here
rust/impls/src/postgres_store.rs
Outdated
| resp_kv.value.len(), | ||
| MAXIMUM_SUPPORTED_VALUE_SIZE - PROTOCOL_OVERHEAD_MARGIN | ||
| ); | ||
| assert!(resp_kv.value.iter().all(|&b| b == 0)); |
There was a problem hiding this comment.
Let's do this here: assert_eq!(resp_kv.value, large_value);
rust/server/src/main.rs
Outdated
| let vss_service_config = match &config.max_request_body_size { | ||
| Some(size) => match VssServiceConfig::new(*size) { |
There was a problem hiding this comment.
usize is Copy, so we can do match config.max_request_body_size and VssServiceConfig::new(size)
rust/server/src/util/config.rs
Outdated
| let max_request_body_size_env = read_env(MAX_REQUEST_BODY_SIZE_VAR)? | ||
| .map(|mrbs| { | ||
| mrbs.parse::<usize>().map_err(|e| { | ||
| format!("Unable to parse the maximum request body size environment variable: {}", e) | ||
| }) | ||
| }) | ||
| .transpose()?; | ||
| let max_request_body_size = max_request_body_size_env.or(max_request_body_size_config); | ||
|
|
There was a problem hiding this comment.
nit: This is a little out of place here, let's put this after the let bind_address statement further above, thank you appreciate it
There was a problem hiding this comment.
This has been moved up.
| return Ok(Response::builder() | ||
| .status(StatusCode::PAYLOAD_TOO_LARGE) | ||
| .body(Full::new(Bytes::from("Request body too large"))) | ||
| .unwrap()); |
There was a problem hiding this comment.
For consistency, let's also add // unwrap safety: body only errors when previous chained calls failed. right above this line, like we do for the other body calls below.
There was a problem hiding this comment.
I've added the comment here.
Addresses the following: - read bind address correctly, - add appropriate unwrap documentation, - drop ref to mrbs because usize impls clone, - clone large object, and - assert_eq(Byte, Vec<u8>): because Bytes impls PartialEq with Vec<u8>, we can compare them directly.
enigbe
force-pushed
the
2025-12-bound-incoming-request-and-postgres-service
branch
from
7943877 to
5cef3b6
Compare
5 participants
What this PR does
TODOmaximum_request_body_sizein [server_config] or via environment variable