英文:
Is an http.Request.Body buffered in golang?
问题
我正在使用Go编写一个Web应用程序。我有一个http.Handler处理程序,它执行一些操作并写入响应。
func (h *MyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// 做一些操作
}
到目前为止,我在POST和GET请求之间没有做任何区别,这在通常情况下是可以的。
但是POST请求有一个Request.Body。
POST数据会发生什么?Go会缓冲它吗?我的处理程序是立即调用,还是等到POST完全接收后再调用?
为了提供一些背景,我特别关注慢速洛里斯(slow loris)攻击。
我知道Go的每个连接开销非常低,但是对于POST大量数据怎么样?如果我POST 9Mb的数据,然后一次只传送1字节,Go会如何处理?它会在内存中缓冲这9Mb吗?如果我进行10,000次这样的请求,那可能会有90Gb的缓冲POST数据。我的服务器不会喜欢这样的情况。
英文:
I'm writing a web app in Go. I have a http.Handler that does some stuff and writes a response.
func (h *MyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// do some stuff
}
So far I don't do anything different between POST and GET requests which is fine in the usual case.
But POSTs have a Request.Body.
What happens to that POST data? Does go buffer it? Is my handler invoked immediately, or does it wait until the POST is fully received?
To provide some context, I am specifically concerned with a slow loris attack.
I know that go has a very low per-connection overhead, but what about POSTing large amounts of data? If I POST 9Mb of data and then spoon-feed 1 byte at a time, how does go deal with that? Did it buffer the 9Mb in memory? If I do 10,000 such requests, that could be 90Gb of buffered POST data. My server won't like that very much.
答案1
得分: 1
有一些缓冲涉及其中,但处理程序会立即被调用,你需要自己读取请求的Body。
至于来自慢速客户端和特定的慢速攻击(如slowloris)所带来的资源消耗,最简单的解决方案是在你的服务器上设置一个ReadTimeout。
英文:
There is some buffering involved, but the handler is invoked immediately, and it's up to you to read the request.Body.
As far as resource consumption from slow clients and specifically attacks like slowloris, the easiest solution is to set a ReadTimeout on your server.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论