cli: add --max-http-header-size flag

[cjihrig]

Allow the maximum size of HTTP headers to be overridden from the command line.

Refs: nodejs/http-parser#453
Fixes: #24692

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

[nodejs-github-bot]

@cjihrig build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1807/pipeline

[mcollina]

Is there a matching PR for http-parser?

@cjihrig do you see this as an alternative to #24716?

[mcollina]

I think we should expose that value as a read-only property under http.

[cjihrig]

Is there a matching PR for http-parser?

Yes, nodejs/http-parser#453

do you see this as an alternative to #24716?

Not strictly an alternative. See #24716 (comment) for my feelings on having both.

[sam-github]

Probably an obvious suggestion, but perhaps you can reuse the existing tests if they are made slightly context aware wrt. the size setting, then wrap them in one that specifies a node option, like https://github.com/nodejs/node/blob/master/test/parallel/test-tls-cli-min-version-1.0.js

[mcollina]

LGTM

[dglozic]

Can this be back-ported to Node 8 LTS? As of v8.14.0, people blessed with domains with a lot of cookies are broken without this option, effectively preventing them from consuming any more LTS fixes (and 8.14.0 contains a security fix as well).

[cjihrig]

I think I've addressed all the nits.

@mcollina, you signed off on this, but did you still want this added to the HTTP API?

[mcollina]

It would be better but it can come later if somebody needs it.

[cjihrig]

It would be better but it can come later if somebody needs it.

Opened #24860 to discuss separately.

[mcollina]

CI: https://ci.nodejs.org/job/node-test-pull-request/19298/

[mcollina]

@cjihrig what's the status of this?

[lxe]

Thanks for this!

[pharatesid]

how do i use this feature and configure the http header size

[losdevnull]

Does this apply to https as well? It does not seem to work with https.createServer.

[mcollina]

@losdevnull it should! If not please open an new issue with a script to reproduce and tag me.

[losdevnull]

@mcollina never mind.. it turns out that we did not set the arg correctly in command line by appending it in the end instead of in front of the app to be started. After fix that it worked as expected for https. Thanks!

[JSMike]

Hi @cjihrig I tried to dig but couldn't figure out the answer.

Does per_process get populated with .npmrc or system environment values? Or can this only be set with the CLI option?

[cjihrig]

You can configure this via the CLI option or NODE_OPTIONS environment variable (search the tests in this PR for NODE_OPTIONS).

[mike503]

It would be great if node responded with an HTTP 413 “Request Header fields too large” (or something similar) is this was encountered instead of behaving like it is crashing (or empty return) or timing out (with nginx in front it will result in a 502/400 based on the node version or a 504 timeout)

[richardlau]

It would be great if node responded with an HTTP 413 “Request Header fields too large” (or something similar) is this was encountered instead of behaving like it is crashing (or empty return) or timing out (with nginx in front it will result in a 502/400 based on the node version or a 504 timeout)

See #25528 and #25605 which changes the response to 431.