Hyper: Make sleep_on_error timeout configurable, enable it by default + document it
Follow-up to #1358 .
Now that we have internal IO error handling when a Hyper server is under heavy load (or DoS attack) we should make this configurable and enabled by default for a better developer experience.
- [ ] Make sleep_on_error timeout configurable (currently hard-coded to 10ms)
- [ ] Enable sleep_on_error per default
- [ ] Document it. https://docs.rs/hyper/0.11.21/hyper/server/struct.Http.html#method.sleep_on_errors is a pretty good start, should we say more about it? Maybe a footnote somewhere on https://hyper.rs/ ?
klausi
All 3 comments
Disclaimer: I am not a web developer, either frontend or backend.
Swallowing errors by default seems like a terrible idea to me. This is the best way to make unreliable and difficult to debug software. In fact, JavaScript's "swallow errors by default" design philosophy is perhaps the primary reason why I'm not a web developer; I was hoping that a full-stack Rust framework (with WebAssembly on the frontend) would make the idea more appealing to me, because Rust seems to have precisely the opposite design philosophy.
However, it does seem that for a DoS attack or heavy load, the server needs to be able to ignore requests for some short period of time. But the user should still be able to do something with the specific errors that are generated.
So my suggestion would be to permit users to specify callbacks to invoke when specific errors occur, or possibly a generic callback invoked when any ignored error occurs.
A reasonable default behavior might be to automatically set up these callbacks to simply log the error. That would accomplish the goal of making robust server setup easier, while also ensuring that there's still an easy way to discover and investigate possible bugs--or, in a production environment, actual attempted DoS attacks.
BatmanAoD
on 16 Mar 2018
Completely agree with the above comment.
What is the behavior, when timeout is 0 ms?
I consider it totally appropriate to reject new connections and free related resources immediately if they can not be accepted due to lack of handlers allowed. It is unlikely that there will be anyone allowed in 10ms (or whatever small interval), but context for timeouts and inbound connections will be held in RAM.
Upper layer should be notified about such rejections.
avkonst
on 18 Mar 2018
1488 was just merged, and included some changes that touch this. Here's how it works now:
sleep_on_errorsis set to be default on- When enabled, it will log at the
error!level about the failures, so users can still see bad things are happening. - The timeout duration itself isn't configurable, it's just 1 second.
- It can be turned off, and a completely custom strategy can be created by a user just by providing their own "incoming" stream of accepted connections.
seanmonstar
on 17 Apr 2018
Related issues
lslima91
路
4Comments
toplinuxsir
路
3Comments
mcseemk
路
3Comments
colindean
路
3Comments
zonyitoo
路
4Comments
Most helpful comment
Disclaimer: I am not a web developer, either frontend or backend.
Swallowing errors by default seems like a terrible idea to me. This is the best way to make unreliable and difficult to debug software. In fact, JavaScript's "swallow errors by default" design philosophy is perhaps the primary reason why I'm not a web developer; I was hoping that a full-stack Rust framework (with WebAssembly on the frontend) would make the idea more appealing to me, because Rust seems to have precisely the opposite design philosophy.
However, it does seem that for a DoS attack or heavy load, the server needs to be able to ignore requests for some short period of time. But the user should still be able to do something with the specific errors that are generated.
So my suggestion would be to permit users to specify callbacks to invoke when specific errors occur, or possibly a generic callback invoked when any ignored error occurs.
A reasonable default behavior might be to automatically set up these callbacks to simply log the error. That would accomplish the goal of making robust server setup easier, while also ensuring that there's still an easy way to discover and investigate possible bugs--or, in a production environment, actual attempted DoS attacks.