Support early request body buffering before upstream peer selection#816
Support early request body buffering before upstream peer selection#816CodyPubNub wants to merge 8 commits intocloudflare:mainfrom
Conversation
Add opt-in request body buffering via request_body_buffer_limit() trait method. When implemented, the full request body is read and filtered before request_filter runs, making it available for auth signature verification and content-based routing decisions. Resolves cloudflare#780
…buffering # Conflicts: # pingora-proxy/src/lib.rs
|
Hey, thanks for your patience. I realize this ticket missed some of our triage steps. It's a big change, but it seems worthwhile. We will check it out to make sure the impact on our system wouldn't be too extreme. One thing that will make this easier to review is to make this fully configurable so that we can opt out of this change. |
Thanks for taking a look! The feature is fully opt-in, request_body_buffer_limit() returns None by default, and when it does, buffer_request_body_early() returns immediately with no side effects. No existing code paths are altered unless a user explicitly overrides that trait method to return Some(max_size). Happy to add additional gating if needed. |
PiotrSikora
left a comment
PiotrSikora
left a comment
There was a problem hiding this comment.
Hi @CodyPubNub,
this is completely unsolicited drive-by review (I have no relationship with the project, so my feedback might be different than that from maintainers), but I was recently looking at Pingora and was surprised by the lack of request body buffering before establishing connection to the upstream, so I'm also interested in solving this, albeit for a more generic use case.
pingora-proxy/src/lib.rs
Outdated
| match body_chunk { | ||
| Some(data) => { | ||
| let is_body_done = session.downstream_session.is_body_done(); | ||
|
|
||
| // Call request_body_filter for each chunk | ||
| let mut filter_data: Option<Bytes> = Some(data); | ||
| session | ||
| .downstream_modules_ctx | ||
| .request_body_filter(&mut filter_data, is_body_done) | ||
| .await?; | ||
| self.inner | ||
| .request_body_filter(session, &mut filter_data, is_body_done, ctx) | ||
| .await?; | ||
|
|
||
| // Accumulate the (possibly filtered) data | ||
| if let Some(filtered) = filter_data { | ||
| total_size += filtered.len(); | ||
|
|
||
| // Check size limit during accumulation (streaming protection) | ||
| if total_size > max_size { | ||
| return Error::e_explain( | ||
| HTTPStatus(413), | ||
| format!( | ||
| "Request body exceeded limit: {} > {} bytes", | ||
| total_size, max_size | ||
| ), | ||
| ); | ||
| } | ||
|
|
||
| body_parts.push(filtered); | ||
| } | ||
|
|
||
| if is_body_done { | ||
| break; | ||
| } | ||
| } | ||
| None => { | ||
| // End of body, call filter with end_of_stream=true | ||
| let mut filter_data: Option<Bytes> = None; | ||
| session | ||
| .downstream_modules_ctx | ||
| .request_body_filter(&mut filter_data, true) | ||
| .await?; | ||
| self.inner | ||
| .request_body_filter(session, &mut filter_data, true, ctx) | ||
| .await?; | ||
|
|
||
| // Collect any final data from the filter | ||
| if let Some(filtered) = filter_data { | ||
| total_size += filtered.len(); | ||
|
|
||
| // Final size check | ||
| if total_size > max_size { | ||
| return Error::e_explain( | ||
| HTTPStatus(413), | ||
| format!( | ||
| "Request body exceeded limit: {} > {} bytes", | ||
| total_size, max_size | ||
| ), | ||
| ); | ||
| } | ||
|
|
||
| body_parts.push(filtered); | ||
| } | ||
| break; | ||
| } |
There was a problem hiding this comment.
Both of those branches contain virtually the same code.
Could you de-duplicate this and use if let Some(data) = body_chunk { ... } where needed?
pingora-proxy/src/lib.rs
Outdated
| session | ||
| .downstream_modules_ctx | ||
| .request_body_filter(&mut filter_data, is_body_done) | ||
| .await?; | ||
| self.inner | ||
| .request_body_filter(session, &mut filter_data, is_body_done, ctx) | ||
| .await?; |
There was a problem hiding this comment.
This results in wrong and error-prone ordering of callbacks, i.e. request body callbacks (HttpModule::request_body_filter and ProxyHttp::request_body_filter) are called before request headers callbacks (HttpModule::request_header_filter and ProxyHttp::request_filter).
The buffered request body is available in request_filter using get_buffered_body to perform any business logic based on the request body, so I'm not sure why you need to call those filters here. You should use this step only to pre-read and buffer the request body, and then push it through request_body_filter after request_filter is done.
Alternatively, you could add early_request_body_filter to avoid messing with the existing request flow.
pingora-proxy/src/lib.rs
Outdated
| // Get Content-Length if present (for early size check) | ||
| let content_length = session | ||
| .downstream_session | ||
| .req_header() | ||
| .headers | ||
| .get(header::CONTENT_LENGTH) | ||
| .and_then(|v| v.to_str().ok()) | ||
| .and_then(|s| s.parse::<usize>().ok()); | ||
|
|
||
| // Fail fast: check Content-Length before reading | ||
| if let Some(cl) = content_length { | ||
| if cl > max_size { | ||
| return Error::e_explain( | ||
| HTTPStatus(413), | ||
| format!( | ||
| "Request body too large: Content-Length {} exceeds limit {} bytes", | ||
| cl, max_size | ||
| ), | ||
| ); | ||
| } | ||
| } | ||
|
|
||
| // Check if there's a body to read (Content-Length > 0 or Transfer-Encoding) | ||
| let has_body = content_length.is_some_and(|len| len > 0) | ||
| || session | ||
| .downstream_session | ||
| .req_header() | ||
| .headers | ||
| .get(header::TRANSFER_ENCODING) | ||
| .is_some(); | ||
|
|
||
| if !has_body { | ||
| // No body to buffer, mark as done | ||
| session.mark_body_buffered(); | ||
| return Ok(()); | ||
| } |
There was a problem hiding this comment.
This doesn't work with HTTP/2 requests that don't contain the Content-Length header.
| /// Determine whether to buffer the entire request body before connecting to upstream. | ||
| /// | ||
| /// This is called after [`Self::early_request_filter()`] but before [`Self::request_filter()`] | ||
| /// and [`Self::upstream_peer()`]. The body is buffered in `Session::buffered_request_body` | ||
| /// and can be accessed via [`Session::get_buffered_body()`]. | ||
| /// | ||
| /// # Returns | ||
| /// - `None`: Don't buffer, stream body to upstream (default) | ||
| /// - `Some(max_size)`: Buffer body with size limit, return 413 error if exceeded | ||
| /// | ||
| /// # Use Cases | ||
| /// - Auth signature verification (need full body before auth decision) | ||
| /// - Content-based routing decisions | ||
| /// - Body transformation before upstream selection | ||
| /// | ||
| /// # Size Limit Enforcement | ||
| /// When returning `Some(max_size)`: | ||
| /// - Content-Length header is checked first (fail fast before reading) | ||
| /// - Body size is checked during accumulation (streaming protection) | ||
| /// - If exceeded, returns HTTP 413 (Payload Too Large) |
There was a problem hiding this comment.
This approach works well for a few specific use cases, but generic proxies should allow buffering up to the buffer limit, and then resume reading and forward remaining data once the upstream is connected, without rejecting the requests with request body larger than the buffer limit.
There was a problem hiding this comment.
This approach works well for a few specific use cases, but generic proxies should allow buffering up to the buffer limit, and then resume reading and forward remaining data once the upstream is connected, without rejecting the requests with request body larger than the buffer limit.
I agree buffer-then-stream is useful for generic proxies. Inspecting the head of a large upload without rejecting it has clear value.
The use case driving this PR is authorization: the auth decision depends on a signature computed over the complete body, so a partial buffer isn't sufficient. The full body has to be available before upstream_peer. Without a hard size limit that becomes an unbounded memory commitment per request, which is why request_body_buffer_limit returns a max size and rejects with 413 if exceeded.
I think buffer-then-stream is a different feature with different semantics (partial visibility, no 413, resume streaming after peer selection). I've scoped this PR to the full-buffer case, but buffer-then-stream would be a solid follow-up.
There was a problem hiding this comment.
FWIW, my use case is similar to @CodyPubNub's. We need the full request body in order to make decisions about whether to allow the request to proceed.
(also unaffiliated with the project, just 👀 this PR because I want this feature)
There was a problem hiding this comment.
I think buffer-then-stream is a different feature with different semantics (partial visibility, no 413, resume streaming after peer selection). I've scoped this PR to the full-buffer case, but buffer-then-stream would be a solid follow-up.
Right, the feature is different on a high-level, but both require buffering request body before it can be forwarded upstream, and once you have the generic capability, it's easy to support your use case (i.e. block forwarding until max_size bytes or complete request body).
- Fix HTTP/2 body detection: replace has_body heuristic (Content-Length or Transfer-Encoding) with explicit Content-Length == 0 skip. H2 POST without Content-Length was incorrectly treated as bodyless. - Collapse two near-identical match arms (Some/None) into a unified flow using end_of_body flag, removing ~40 lines of duplication. Addresses review comments 1 and 3 from @PiotrSikora.
- New trait method runs per-chunk during buffer_request_body_early(), before request_header_filter — avoids calling request_body_filter out of phase order. - Remove is_body_buffered() skip guards from proxy_h1/h2 — normal request_body_filter runs unguarded during upstream forwarding. - Update body_routing example to demonstrate the streaming callback. - Add early_request_body_filter to phase docs and mermaid charts. Addresses review comment 2 from @PiotrSikora.
Thanks for the thorough review, @PiotrSikora. I really appreciate you taking the time. I've addressed comments 1-3:
|
PiotrSikora
left a comment
PiotrSikora
left a comment
There was a problem hiding this comment.
Thanks! This looks much better now.
pingora-proxy/src/proxy_h2.rs
Outdated
| let mut downstream_state = if body_was_buffered { | ||
| DownstreamStateMachine::PreBuffered | ||
| } else { | ||
| DownstreamStateMachine::new(session.as_mut().is_body_done()) | ||
| }; | ||
|
|
||
| // Use pre-buffered body if available, otherwise check for retry buffer | ||
| let buffer = if body_was_buffered { | ||
| pre_buffered_body | ||
| } else { | ||
| session.as_mut().get_retry_buffer() | ||
| }; |
There was a problem hiding this comment.
Nit: You could return (downstream_state, buffer) tuple here (same in H1 proxy).
pingora-proxy/src/proxy_trait.rs
Outdated
| /// - Content-Length header is checked first (fail fast before reading) | ||
| /// - Body size is checked during accumulation (streaming protection) | ||
| /// - If exceeded, returns HTTP 413 (Payload Too Large) | ||
| fn request_body_buffer_limit(&self, _session: &Session, _ctx: &Self::CTX) -> Option<usize> { |
There was a problem hiding this comment.
Nit: early_request_body_buffer_limit
| /// Determine whether to buffer the entire request body before connecting to upstream. | ||
| /// | ||
| /// This is called after [`Self::early_request_filter()`] but before [`Self::request_filter()`] | ||
| /// and [`Self::upstream_peer()`]. The body is buffered in `Session::buffered_request_body` | ||
| /// and can be accessed via [`Session::get_buffered_body()`]. | ||
| /// | ||
| /// # Returns | ||
| /// - `None`: Don't buffer, stream body to upstream (default) | ||
| /// - `Some(max_size)`: Buffer body with size limit, return 413 error if exceeded | ||
| /// | ||
| /// # Use Cases | ||
| /// - Auth signature verification (need full body before auth decision) | ||
| /// - Content-based routing decisions | ||
| /// - Body transformation before upstream selection | ||
| /// | ||
| /// # Size Limit Enforcement | ||
| /// When returning `Some(max_size)`: | ||
| /// - Content-Length header is checked first (fail fast before reading) | ||
| /// - Body size is checked during accumulation (streaming protection) | ||
| /// - If exceeded, returns HTTP 413 (Payload Too Large) |
There was a problem hiding this comment.
I think buffer-then-stream is a different feature with different semantics (partial visibility, no 413, resume streaming after peer selection). I've scoped this PR to the full-buffer case, but buffer-then-stream would be a solid follow-up.
Right, the feature is different on a high-level, but both require buffering request body before it can be forwarded upstream, and once you have the generic capability, it's easy to support your use case (i.e. block forwarding until max_size bytes or complete request body).
- Rename request_body_buffer_limit → early_request_body_buffer_limit for consistency with early_request_body_filter (comment 6) - Collapse downstream_state + buffer into tuple return in proxy_h1 and proxy_h2 (comment 5) - Align inline comments with existing Cloudflare style - Update body_routing example and phase docs Addresses review comments 5 and 6 from @PiotrSikora.
4 participants
Resolves #780
Adds opt-in early body buffering to
ProxyHttp. Whenearly_request_body_buffer_limit()returnsSome(max_size), the full request body is read beforerequest_filterruns. The buffered body is available viaSession::get_buffered_body()for inspection andSession::set_buffered_body()for mutation, and is automatically forwarded to upstream during the proxy phase.New trait methods:
early_request_body_buffer_limit()— opt in to buffering with a size limit (defaultNone)early_request_body_filter()— per-chunk callback during early buffering, before any header-phase filters run. Use for streaming processing (e.g., decompression) that doesn't depend onrequest_filterstate. The normalrequest_body_filter()still runs during upstream forwarding.Use cases:
early_request_body_filterSize limits are enforced in two layers: Content-Length check before reading (fail fast), and accumulated size check during streaming. Exceeding the limit returns HTTP 413. Default is
None(no buffering), so existing code is unaffected.HTTP/2 body detection: requests without
Content-Length(valid in HTTP/2) are handled correctly — onlyContent-Length: 0skips the body read.Includes a
body_routingexample demonstrating all three patterns — stream, peek, and mutate:Phase docs and mermaid charts updated to include the new phase.