Skip to main content

plecto_server/
lib.rs

1//! plecto-server — the M2 fast path (ADR 000013, TLS 000014, HTTP/2 000015, HTTP/3 000016).
2//!
3//! A tokio listener that turns Plecto from a library into an actual reverse proxy. It serves
4//! HTTP/1.1 and HTTP/2 over TCP (hyper, ALPN-negotiated — ADR 000015) and HTTP/3 over QUIC (quinn +
5//! the h3 crate, an independent UDP listener advertised via `Alt-Svc` — ADR 000016). All three
6//! transports feed the same transaction core (`proxy_core`); only the body adapters differ.
7//! Per request it: builds a header-only `HttpRequest`, asks the control plane which route
8//! matches (host + path prefix), runs that route's filter chain, and either responds now (a
9//! filter short-circuited / failed closed) or forwards the request to the route's upstream and
10//! runs the response side of the chain on the way back.
11//!
12//! **sync↔async bridge (the §6.3 prerequisite).** Filter execution is synchronous and runs on a
13//! wasmtime `Store` that is `!Send`, so it cannot cross an `.await`. Each chain dispatch is moved
14//! to tokio's blocking pool via `spawn_blocking`; the M1 trusted instance pool handles instance
15//! reuse and saturation there. Route matching is pure config lookup and stays on the async thread.
16//!
17//! **Request body: buffered ONLY when a filter reads it (ADR 000025 / 000038).** A route whose
18//! filters all target the header-only `filter` world streams the request body straight to the
19//! upstream (zero-copy); a route with a filter that exports `on-request-body` (`reads_body`) has the
20//! body buffered (bounded) and run through the `on-request-body` chain. The response body always
21//! streams straight back — filters see response headers / status only (they may synthesise a
22//! short-circuit body of their own).
23
24// Hot-path discipline (bp-rust): no unwrap/expect/panic/indexing on the data plane. Exempted
25// under `cfg(test)` — this crate's own `#[cfg(test)] mod` blocks legitimately use them;
26// `tests/*.rs` integration tests are separate crates and are never subject to this attribute.
27#![cfg_attr(
28    not(test),
29    warn(
30        clippy::unwrap_used,
31        clippy::expect_used,
32        clippy::panic,
33        clippy::indexing_slicing
34    )
35)]
36
37mod access_log;
38mod admin;
39mod body;
40mod compression;
41mod conn_limit;
42mod dispatch;
43mod dns;
44mod error;
45mod forward;
46mod h3;
47mod headers;
48mod health;
49mod listener;
50mod metrics;
51mod otlp;
52mod proxy;
53// `pub`: the out-of-workspace fuzz harness (`fuzz/`) drives the pure parser (ADR 000057). Not a
54// semver surface — the crate is `publish = false`.
55pub mod proxy_protocol;
56mod respond;
57mod retry;
58mod tunnel;
59mod upstream_client;
60
61use std::sync::Arc;
62
63use bytes::Bytes;
64use http_body_util::combinators::BoxBody;
65use hyper::header::HeaderValue;
66use hyper_util::client::legacy::connect::HttpConnector;
67use plecto_control::Control;
68use tokio::sync::Semaphore;
69
70use crate::metrics::ServerMetrics;
71use crate::upstream_client::UpstreamClients;
72
73pub use listener::{DEFAULT_DRAIN_DEADLINE, serve, serve_with_shutdown};
74
75/// Cap glibc's per-thread malloc arenas at process start to bound RSS on many-core hosts.
76///
77/// glibc defaults to `8 × ncpu` arenas on 64-bit. Under a many-threaded proxy doing bursty
78/// per-request allocations, freed memory lingers in each thread's arena instead of returning to the
79/// OS, inflating RSS (measured ~2.5× at 1 MB bodies × 50 conns — docs/servey body-tax). This is a
80/// defensive complement to the real fix (not buffering a body no filter reads); routes that
81/// legitimately buffer still allocate, and this bounds their arena fragmentation.
82///
83/// `M_ARENA_MAX` only gates creation of NEW arenas and never reclaims existing ones, so this MUST
84/// run before the runtime spawns its worker threads (call it first in `main`). Default cap **4** — a
85/// portable, contention-safe value used across multithreaded services, chosen over the value that
86/// minimised RSS on one host (1) precisely because Plecto is self-hosted on varied machines.
87/// Override with `PLECTO_MALLOC_ARENA_MAX` (`0` leaves glibc's default in place). No-op off glibc.
88pub fn cap_malloc_arenas() {
89    let max = std::env::var("PLECTO_MALLOC_ARENA_MAX")
90        .ok()
91        .and_then(|s| s.parse::<i32>().ok())
92        .unwrap_or(4);
93    apply_arena_cap(max);
94}
95
96#[cfg(all(target_os = "linux", target_env = "gnu"))]
97fn apply_arena_cap(max: i32) {
98    if max <= 0 {
99        return; // 0 / negative: leave glibc's default (8 × ncpu) untouched.
100    }
101    // SAFETY: a plain libc call made single-threaded at startup, before any worker thread exists.
102    // Returns 1 on success / 0 on failure; a best-effort tuning knob, so a rejection is ignored
103    // rather than failing startup.
104    unsafe {
105        libc::mallopt(libc::M_ARENA_MAX, max as core::ffi::c_int);
106    }
107}
108
109#[cfg(not(all(target_os = "linux", target_env = "gnu")))]
110fn apply_arena_cap(_max: i32) {}
111
112/// A boxed, `Send` error — the unified error type for the boxed request/response bodies.
113pub(crate) type BoxError = Box<dyn std::error::Error + Send + Sync>;
114
115/// The response body the service yields: either a synthesised buffer (`Full`, for a short-circuit
116/// or a fail-closed 5xx) or the upstream's streamed body (`Incoming`), unified behind one boxed
117/// type so the service has a single return shape.
118pub(crate) type ResponseBody = BoxBody<Bytes, BoxError>;
119
120/// The request body forwarded to the upstream, boxed so one type covers every inbound transport:
121/// the hyper `Incoming` (HTTP/1.1 + HTTP/2) and the QUIC/h3 recv stream (HTTP/3, ADR 000016). The
122/// body streams straight through opaquely (header-only contract, ADR 000010) regardless of source.
123pub(crate) type ReqBody = BoxBody<Bytes, BoxError>;
124
125/// Global cap on concurrently-served connections across all transports (CWE-770). A permit
126/// is acquired BEFORE each accept, so at saturation the listener stops pulling new connections off
127/// the OS backlog (natural backpressure) instead of spawning per-connection tasks unboundedly.
128pub(crate) const MAX_CONNECTIONS: usize = 10_000;
129
130/// Per-source-IP cap on concurrently-served connections (CWE-770/CWE-400, docs/servey production
131/// hardening — ADR 000027 amendment), enforced by [`conn_limit::PerIpConnLimit`] in both accept
132/// loops (TCP `listener.rs`, QUIC `h3/endpoint.rs`). `MAX_CONNECTIONS` alone bounds the total but
133/// not its distribution: without this, one source can hold every permit and starve every other
134/// client. ~2.6% of `MAX_CONNECTIONS` — comfortably above any legitimate single-source workload
135/// (even a large NAT/corporate gateway), while an attacker needs ~40 distinct source addresses
136/// (or hash-colliding /64s, for IPv6) to exhaust the pool alone, instead of one.
137pub(crate) const MAX_CONNECTIONS_PER_IP: u32 = 256;
138
139/// Raise the process's soft `RLIMIT_NOFILE` to match the hard limit at startup (Unix only; a no-op
140/// twin exists for other platforms below).
141///
142/// Most distros ship a low default soft limit (often 1024) while the hard limit is already
143/// generous — an unprivileged process may always raise its own soft limit up to the hard limit
144/// (POSIX `setrlimit(2)`, no `CAP_SYS_RESOURCE` needed). Without this, an accept loop asking for
145/// `MAX_CONNECTIONS` sockets hits EMFILE at the OS default long before its own cap — and, by
146/// design, a transient accept error is logged and the loop continues (`listener.rs`), so the
147/// server silently stops admitting new connections instead of crashing loudly. Raising the HARD
148/// limit itself needs a privilege Plecto does not request (self-hosting simplicity, deny-by-default
149/// P4); if the hard limit is ALSO below what `MAX_CONNECTIONS` needs, this only warns — an
150/// operator must raise it externally (systemd `LimitNOFILE=`, `docker run --ulimit nofile=...`, or
151/// the container runtime's own ulimit configuration).
152#[cfg(unix)]
153pub fn raise_nofile_limit() {
154    match unix_raise_nofile_limit() {
155        Ok((soft, hard)) => {
156            // 1 client fd + 1 upstream fd per proxied connection (the same accounting nginx
157            // documents for a proxying worker), doubled for headroom: the admin/health listener,
158            // DNS-refresh sockets, TLS resumption file handles, and connections mid-teardown that
159            // have not yet released their `MAX_CONNECTIONS` permit.
160            let wanted = MAX_CONNECTIONS as u64 * 4;
161            if soft < wanted {
162                tracing::warn!(
163                    soft,
164                    hard,
165                    wanted,
166                    "RLIMIT_NOFILE is below the recommended floor for MAX_CONNECTIONS; raise the \
167                     HARD limit externally (systemd LimitNOFILE=, docker --ulimit nofile=, or \
168                     ulimit -Hn) — Plecto does not request CAP_SYS_RESOURCE to do this itself"
169                );
170            } else {
171                tracing::info!(soft, hard, "RLIMIT_NOFILE raised to the hard limit");
172            }
173        }
174        Err(e) => {
175            tracing::warn!(
176                error = %e,
177                "failed to read/raise RLIMIT_NOFILE; leaving the OS default in place"
178            );
179        }
180    }
181}
182
183/// No POSIX resource limits on this platform — nothing to raise.
184#[cfg(not(unix))]
185pub fn raise_nofile_limit() {}
186
187#[cfg(unix)]
188fn unix_raise_nofile_limit() -> std::io::Result<(u64, u64)> {
189    let mut rlim = libc::rlimit {
190        rlim_cur: 0,
191        rlim_max: 0,
192    };
193    // SAFETY: `rlim` is a valid, stack-local `libc::rlimit`; `getrlimit`/`setrlimit` only read/
194    // write through the pointer we pass and signal failure via a `-1` return (checked below),
195    // never touching memory beyond the struct.
196    if unsafe { libc::getrlimit(libc::RLIMIT_NOFILE, &mut rlim) } != 0 {
197        return Err(std::io::Error::last_os_error());
198    }
199    let hard = rlim.rlim_max;
200    if rlim.rlim_cur < hard {
201        rlim.rlim_cur = hard;
202        if unsafe { libc::setrlimit(libc::RLIMIT_NOFILE, &rlim) } != 0 {
203            return Err(std::io::Error::last_os_error());
204        }
205    }
206    // `rlim_t` is `u64` on every Unix target this crate builds for (Linux glibc/musl, macOS).
207    Ok((rlim.rlim_cur, hard))
208}
209
210/// Per-connection cap on concurrent HTTP/2 streams (ADR 000015). A fixed, conservative bound (not
211/// yet manifest-configurable): it stops a single h2 connection from monopolising the fixed-capacity
212/// M1 instance pool (ADR 000012) with concurrent chain dispatches, and is defence-in-depth against
213/// stream-flooding DoS (the h2 crate already mitigates Rapid Reset, CVE-2023-44487). 100 is the
214/// RFC 9113 recommended floor; hyper's own default is version-dependent and not API-stable, so we
215/// pin it explicitly.
216pub(crate) const MAX_CONCURRENT_STREAMS: u32 = 100;
217
218/// Shared per-server state: the control plane (filters, routes, reload), the upstream clients, and
219/// the `Alt-Svc` header value advertising HTTP/3 (ADR 000016) — `Some` only when a QUIC listener is
220/// bound, and added to TCP (HTTP/1.1 + HTTP/2) responses to steer capable clients to h3.
221pub(crate) struct ServerState {
222    control: Arc<Control>,
223    /// Per-security-context upstream clients (ADR 000042): one plain HTTP/1.1 client plus one
224    /// pooled TLS client per distinct `[upstream.tls]` config.
225    clients: UpstreamClients,
226    alt_svc: Option<HeaderValue>,
227    /// Global connection cap across TCP + QUIC: a permit is held for each connection's
228    /// lifetime, so the server never serves more than `MAX_CONNECTIONS` at once.
229    conn_limit: Arc<Semaphore>,
230    /// Per-source-IP connection cap across TCP + QUIC (`MAX_CONNECTIONS_PER_IP`): a slot is held
231    /// for each connection's lifetime, so one source cannot exhaust `conn_limit` alone.
232    per_ip_conn_limit: Arc<conn_limit::PerIpConnLimit>,
233    /// Cap on concurrently-buffered request bodies for the `on-request-body` hook, bounding
234    /// total buffered memory.
235    body_buffer_limit: Arc<Semaphore>,
236    /// Native data-plane metrics (Stage A observability, ADR 000009): RED signals tallied per
237    /// request and served on the admin endpoint. Always recorded (cheap atomics); whether anyone
238    /// can scrape them is gated by `[observability] admin_addr`.
239    metrics: Arc<ServerMetrics>,
240    /// The OTLP span buffer (ADR 000040), present iff `[observability] otlp_endpoint` is set:
241    /// `proxy_core` pushes one SERVER request span per sampled transaction; the export pump
242    /// (spawned by the listener) drains it.
243    otlp: Option<Arc<plecto_control::otlp::OtlpBuffer>>,
244    /// The graceful-shutdown drain flag (ADR 000039), cloned into every spawned upgrade tunnel
245    /// (ADR 000048) so an indefinite tunnel closes at drain instead of outliving the server.
246    drain: tokio::sync::watch::Receiver<bool>,
247    /// The readiness flag (ADR 000059): `true` for the serving lifetime, flipped to `false` at
248    /// the shutdown signal — BEFORE the drain starts — so `/readyz` tells the front load
249    /// balancer to remove this replica while it still accepts connections (the readiness grace).
250    ready: tokio::sync::watch::Receiver<bool>,
251}
252
253/// An upstream TCP connector with `TCP_NODELAY` set. A proxy must disable Nagle on its upstream
254/// sockets: with Nagle on, a streamed request body sent in several writes stalls ~40 ms on the
255/// peer's delayed-ACK timer (surfaced by the body benchmark as a p99 cliff on large streamed
256/// bodies). Disabling Nagle on proxy/upstream sockets is standard practice across mature L7 proxies.
257/// Both the forwarding clients and the health prober use it — plain, and wrapped by the rustls
258/// connector for a TLS upstream (ADR 000042), which is why `enforce_http` is off (the wrapping
259/// `HttpsConnector` dials `https://` URIs through it).
260pub(crate) fn upstream_connector() -> HttpConnector {
261    let mut c = HttpConnector::new();
262    c.set_nodelay(true);
263    c.enforce_http(false);
264    c
265}
266
267#[cfg(test)]
268mod alloc_tuning_tests {
269    #[cfg(all(target_os = "linux", target_env = "gnu"))]
270    #[test]
271    fn mallopt_arena_max_is_accepted_by_glibc() {
272        // Guards the FFI constant + linkage: glibc returns 1 when it accepts the option.
273        let rc = unsafe { libc::mallopt(libc::M_ARENA_MAX, 4) };
274        assert_eq!(
275            rc, 1,
276            "glibc mallopt(M_ARENA_MAX, 4) should return 1 on success"
277        );
278    }
279
280    #[test]
281    fn cap_is_a_noop_when_disabled() {
282        // 0 leaves glibc's default in place; must not panic (and compiles/no-ops off glibc).
283        super::apply_arena_cap(0);
284    }
285}
286
287#[cfg(all(test, unix))]
288mod nofile_tests {
289    #[test]
290    fn raises_soft_limit_to_match_the_hard_limit() {
291        // An unprivileged process may always raise its own soft limit up to the hard limit
292        // (POSIX) — every sandbox this test runs in must allow it, so a failure here is real.
293        let (soft, hard) =
294            super::unix_raise_nofile_limit().expect("getrlimit/setrlimit must succeed");
295        assert_eq!(
296            soft, hard,
297            "soft limit must be raised to match the hard limit"
298        );
299
300        // Calling it again is idempotent: the limit is already at its ceiling.
301        let (soft2, hard2) =
302            super::unix_raise_nofile_limit().expect("a second call must also succeed");
303        assert_eq!((soft2, hard2), (soft, hard));
304    }
305}