HTTP Desync attack against HTTP/2 protocol

This article describes the vulnerabilities that attackers use to launch HTTP Desync attacks, targeting well-known websites that hijack clients, Trojanize caches, and steal credentials to launch attacks. HTTP Desync Attack on Netflix The Content-Length header is not required due to HTTP/2’s data frame length field. However, the HTTP/2 RFC declares that this header is allowed as long as it is correct. netflix uses a front-end that performs HTTP degradation without validating the content length.

Use of Prometheus record rules

As the hottest cloud-native monitoring tool, there is no doubt that Prometheus is a great performer. However, as we use Prometheus, the monitoring metrics stored in Prometheus become more and more frequent over time, and the frequency of queries increases, as we add more Dashboards with Grafana, we may slowly experience that Grafana is no longer able to render charts on time, and occasionally timeouts occur, especially when we are

Custom Traefik (Private) plugin

Although Traefik has implemented a lot of middleware by default to meet most of our daily needs, in practice, users still have the need to customize the middleware, to solve this problem, the official launch of a Traefik Pilot function now, in addition in Traefik v2.5 also introduces the feature of supporting local plug-ins. Traefik Pilot Traefik Pilot is a SaaS platform that links to Traefik to extend its functionality,

GraphQL and REST: Two API Architectures

GraphQL is both a query language for the API and a runtime for your data queries. GraphQL provides a complete set of easy-to-understand descriptions of the data in your API, allowing the client to get exactly the data it needs without any redundancy, and making it easier for the API to evolve over time, as well as for building powerful developer tools. Over the last decade, REST has become the design standard for Web APIs, providing some great ideas such as stateless servers and structured access to resources.

Faster Maven is here!

One of the biggest disadvantages of Maven, which is often compared to Gradle, is that Maven builds slowly, Gradle builds 2 to 10 times faster than Maven, and today Maven can be faster as well. The Apache Maven team took inspiration from Gradle and Takari (Maven lifecycle optimizer) to make enhancements to Maven, resulting in the maven-mvnd project. Brief introduction mvnd is not a refactoring of Maven, but rather has Maven built in.

Stuck problems caused by soft links

fs::symlink_metadata Recently I wrote a program to recursively search for folder statistics and got stuck when measuring the size of a folder I used find -type l to search for soft links and found two links referenced recursively: a points to b’s folder while b points to a’s folder Looking at the source code, I realized that the underlying std::fs::metadata call stat() system call would follow the link I switched

cargo tree invert

Suppose there is a requirement that the Rust binary compiled in a fedora high version (2.34) glibc environment should be used in the customer’s centos7 glibc 2.17 environment, because the files compiled by the high version glibc will not work in the low version glibc environment A possible solution is that the musl-gcc/musl-clang compiler makes the binary not strongly dependent on the glibc version, e.g. TabNine’s binary on Linux is musl’s

tokio cancel dissemination of defects

Recently, I encountered some bugs in my project: the receiver of tokio channel was dropped for some reason, resulting in a send error. After debugging, I found that it was actually caused by hyper’s cancel propagation. The following changes to examples/web_api.rs in the hyper source code can be reproduced 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 diff --git a/Cargo.

Why you shouldn't accept code with race

In any language concurrent programming scenario, there is a race problem. Modern languages have two ideas to solve the race problem, one is to restrict the user from writing race code as much as possible by ownership+Sync/Send like rust, and one is to check for data contention during testing by race detector like Go. The design of Go’s race detector means that it can’t be turned on in an online environment, and many companies don’t actually have a race test before they go live, which leads some Gophers to think that it’s okay if I write race code because it’s “eventually consistent”.

Raspberry Pi computer flies to the International Space Station

The Raspberry Pi Foundation recently announced has launched two Raspberry Pi devices (Astro Pi) into space. Each Astro Pi unit is described as consisting of a Raspberry Pi computer, a Raspberry Pi camera and a series of sensors, all housed in a special space-ready enclosure that ensures the hardware can be used on the International Space Station (ISS). The goal of this work is to get new Astro Pi devices ready to be part of the European Astro Pi Challenge, the foundation said.

Belgian Defense Ministry Network Hit by Severe Cyber Attack Related to Log4shell Vulnerability

According to Belgian VRT news report, earlier this week, the Belgian Ministry of Defense admitted that they had suffered a serious cyber attack based on the Apache Log4j-related vulnerability we reported previously. The strong cyber attack paralyzed some activities of the Belgian Ministry of Defense, such as the mail system which was down for several days. Olivier Séverin, a relevant Belgian spokesman, said, “The Ministry of Defense discovered on Thursday that its computer network with Internet access was under attack.

DuckDuckGo is developing a desktop browser that is not based on Chromium

DuckDuckGo is the world’s leading Internet search engine, launched in 2008. DuckDuckGo emphasizes protecting the privacy of searchers by not collecting user data or tracking users during searches and by not displaying personalized advertisements like Google searches. DuckDuckGo also offers a browser extension that provides users with privacy protection services such as anti-tracking and encryption protection. Although DuckDuckGo has made a lot of efforts to protect privacy, it has never mastered the most important portal of the Internet - the browser.

Apache HTTP Server Multiple Vulnerability Risk Notice

Brief description of the vulnerability On December 23, 2021, 360CERT monitoring found that Apache officially released a security notice , fixing multiple vulnerabilities, which contains the following vulnerability numbers: CVE-2021-44224, CVE-2021-44790, vulnerability level: High Risk, vulnerability score: 8.2. Apache HTTP Server is an open source web server from the Apache Software Foundation that can run in most computer operating systems and is one of the most popular web server-side software

OAuth 2.0 Authorization Authentication Explained

Auth2.0 Protocol Introduction Regarding the application system user identity management requirements, including authentication, permission authorization, single sign-on, federated authentication and other business scenarios, there are a bunch of standards and specifications in the industry, such as CAS and Kerberos for single sign-on, OpenID for third-party authentication, OAuth for third-party user authorization, SAML for federated authentication and authorization data standards, and so on. Each technology has its own application scenarios and there are also crossover scenarios.

HTTP protocol evolution and features of each version

Recently, I’ve been learning about TCP/IP, and I’ve found that most of the HTTP-related content is very old. Many of the materials are not updated with the HTTP version. So I took the time to do some simple organization. HTTP’s Past Life Saga Before the HTTP protocol was defined, Berners-Lee had already proposed the hypertext idea and eventually implemented the earliest hypertext systems. 1980 - The Birth of the Hypertext

It's a sad story that Go generics don't support generic methods

According to the description of the Go generalization proposal, Go does not support generalized methods:No parameterized methods. The main reason Go generic processing is implemented at compile time, and generic methods are difficult to determine how the generic scheme should be instantiated without contextual analysis and inference at compile time, or even impossible to determine, resulting in the current (Go 1.18) Go implementation not supporting generic schemes. However, the lack

Google Announces Results of Log4j 2 "Vulnerability" Investigation: Not Affected|Google Workspace Core Service Does Not Use Log4j 2

Since the Apache Log4j 2 “alarming vulnerability” was exposed on December 9, many technology companies around the world have been affected by it. On December 17, Google announced that it had investigated the incident and published the results on the official Google cloud page on December 21. Google Workspace core services for consumers and paid users do not use Log4j2 and are not affected by the CVE-2021-44228 and CVE-2021-45046 “vulnerabilities,” according to survey results posted on the Google cloud page on Dec.

Customizing the Kubernetes Scheduler

kube-scheduler is one of the core components of kubernetes, mainly responsible for the scheduling function of the entire cluster resources, according to specific scheduling algorithms and policies, Pods will be scheduled to the optimal working nodes, so as to make more reasonable and full use of the cluster resources, which is also a very important reason why we choose to use kubernetes This is a very important reason why we

Use of URL Rewrite in Traefik version 2.X

Previously we introduced the use of URL Rewrite in ingress-nginx, where rewriting paths is mostly similar to the traditional nginx approach, but if we use Traefik as our gateway, what do we do when we encounter URL Rewrite requirements? We introduced the basic features of Traefik2.1 in an article on understanding the use of Traefik2.1, but we did not mention URL Rewrite. For example, if we deploy a Nexus application

Deploying VSCode on a Kubernetes Cluster

code-server is a VSCode that runs on top of a server and can be accessed directly through a browser, VSCode is a modern code editor that supports Git, a code debugger, intelligent code hints, and various customizations and extensions. Next, we’ll go over how to run a VSCode on our Kubernetes cluster. Installation First of all, of course, you need an installed Kubernetes cluster, and if you want to access our Cloud IDE via a domain name, you also need to prepare a domain name and an Ingress Controller to be installed in the cluster.