Skip to main content

iroh_http_core/http/server/
options.rs

1//! `ServeOptions` and the default tunables consumed by
2//! [`crate::http::server::serve_with_events`].
3//!
4//! Split out of `mod.rs` per Slice C.7 of #182 so the accept loop in
5//! `mod.rs` stays close to the axum reference shape (≤ 200 LoC).
6
7/// Options for the HTTP serve loop.
8///
9/// Passed directly to [`crate::http::server::serve`] or
10/// [`crate::http::server::serve_with_events`]. These govern
11/// per-request middleware (Tower layers), inbound connection caps, and
12/// serve-loop lifecycle — they do **not** affect outgoing fetch calls.
13#[derive(Debug, Clone, Default)]
14pub struct ServeOptions {
15    /// Maximum simultaneous in-flight requests.  Default: 1024.
16    pub max_concurrency: Option<usize>,
17    /// Consecutive accept-loop errors before the serve loop terminates.  Default: 5.
18    pub max_serve_errors: Option<usize>,
19    /// Per-request timeout in milliseconds.  Default: 60 000.
20    pub request_timeout_ms: Option<u64>,
21    /// Maximum connections from a single peer.  Default: 8.
22    pub max_connections_per_peer: Option<usize>,
23    /// Reject request bodies larger than this many **wire** bytes (compressed).
24    /// Default: 16 MiB.
25    pub max_request_body_wire_bytes: Option<usize>,
26    /// Reject request bodies larger than this many **decoded** bytes (after
27    /// decompression). This is the primary compression-bomb guard.
28    /// Default: 16 MiB.
29    pub max_request_body_decoded_bytes: Option<usize>,
30    /// Graceful shutdown drain window in milliseconds.  Default: 30 000.
31    pub drain_timeout_ms: Option<u64>,
32    /// Maximum total QUIC connections the server will accept.  Default: unlimited.
33    pub max_total_connections: Option<usize>,
34    /// When `true` (the default), reject new requests immediately with `503
35    /// Service Unavailable` when `max_concurrency` is already reached rather
36    /// than queuing them.  Prevents thundering-herd on recovery.
37    pub load_shed: Option<bool>,
38    /// When `true` (the default), automatically decompress compressed request
39    /// bodies before handing them to the handler.  Set to `false` to receive
40    /// the raw wire bytes (e.g. for relay/proxy use-cases that forward the
41    /// body downstream without inspecting it).
42    pub decompression: Option<bool>,
43}
44
45pub(crate) const DEFAULT_CONCURRENCY: usize = 1024;
46pub(crate) const DEFAULT_REQUEST_TIMEOUT_MS: u64 = 60_000;
47pub(crate) const DEFAULT_MAX_CONNECTIONS_PER_PEER: usize = 8;
48pub(crate) const DEFAULT_DRAIN_TIMEOUT_MS: u64 = 30_000;
49/// 16 MiB — applied when `max_request_body_wire_bytes` or
50/// `max_request_body_decoded_bytes` is not explicitly set.
51/// Prevents memory exhaustion from unbounded request bodies.
52pub(crate) const DEFAULT_MAX_REQUEST_BODY_BYTES: usize = 16 * 1024 * 1024;
53/// 256 MiB — applied when `max_response_body_bytes` is not explicitly set.
54/// Prevents memory exhaustion from a malicious server sending a compressed
55/// response that expands to an unbounded size (compression bomb).
56pub(crate) const DEFAULT_MAX_RESPONSE_BODY_BYTES: usize = 256 * 1024 * 1024;