HTTP2 Rapid Reset Mitigation

[neomantra]

An HTTP2 zero-day vulnerability was recently released -- dubbed "HTTP/2 Rapid Reset":

• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/

NGINX has a mitigation posted -- I'm not sure what versions that works against:

• https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9

These Docker images can move differently than upstream OpenResty. While I will definitely build against new upstream OpenResty images, we can also provide our own patches.

I don't have the bandwidth do this, but I am happy to review and advance any PRs.

Marking this for #Hacktoberfest

[neomantra]

Noting this Nginx patch mentioned in the upstream issue #930:

• http://hg.nginx.org/nginx/rev/cdda286c0f1b

[neomantra]

Noting that 1.21.4.3 was released which fixes this.

I did the updates yesterday, but they're not all building clean. Hopefully all the packages get to their repos and I can release today.

One can build their an image like so:

docker build --build-arg RESTY_APK_VERSION="=1.21.4.3-r0" -f alpine-apk/Dockerfile .

[neomantra]

This was mitigated in release 1.21.4.3-0 and on.. (just released 1.21.4.3-1).