Add minTLS version and chipher suites

pierDipi · pierDipi · commit 9da1d886e4c9 · 2025-07-18T18:21:02.000+02:00
Signed-off-by: Pierangelo Di Pilato &lt;pierdipi@redhat.com&gt;
diff --git a/cmd/llm-d-routing-sidecar/main.go b/cmd/llm-d-routing-sidecar/main.go
@@ -91,6 +91,9 @@ func main() {
 		CertPath:                    *certPath,
 		PrefillerInsecureSkipVerify: *prefillerInsecureSkipVerify,
 		DecoderInsecureSkipVerify:   *decoderInsecureSkipVerify,
+		EnableSSRFProtection:        *enableSSRFProtection,
+		InferencePoolNamespace:      *inferencePoolNamespace,
+		InferencePoolName:           *inferencePoolName,
 	}
 
 	proxy, err := proxy.NewProxy(*port, targetURL, config)
diff --git a/internal/proxy/connector_nixl.go b/internal/proxy/connector_nixl.go
@@ -90,7 +90,7 @@ func (s *Server) runNIXLProtocolV1(w http.ResponseWriter, r *http.Request, prefi
 	}
 
 	// 2. Forward request to prefiller
-	s.logger.Info("sending request to prefiller", "hostPort", prefillPodHostPort, "body", string(pbody))
+	s.logger.V(5).Info("sending request to prefiller", "hostPort", prefillPodHostPort, "body", string(pbody))
 	pw := &bufferedResponseWriter{}
 	prefillHandler.ServeHTTP(pw, preq)
 
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
@@ -80,14 +80,14 @@ type Config struct {
 	// DecoderInsecureSkipVerify configure the proxy to skip TLS verification for requests to decoder.
 	DecoderInsecureSkipVerify bool
 
-	// enableSSRFProtection enables SSRF protection.
-	enableSSRFProtection bool
+	// EnableSSRFProtection enables SSRF protection.
+	EnableSSRFProtection bool
 
-	// inferencePoolNamespace InferencePool object namespace.
-	inferencePoolNamespace string
+	// InferencePoolNamespace InferencePool object namespace.
+	InferencePoolNamespace string
 
-	// inferencePoolNamespace InferencePool object name.
-	inferencePoolName string
+	// InferencePoolName InferencePool object name.
+	InferencePoolName string
 }
 
 type protocolRunner func(http.ResponseWriter, *http.Request, string)
@@ -113,7 +113,7 @@ func NewProxy(port string, decodeURL *url.URL, config Config) (*Server, error) {
 	cache, _ := lru.New[string, http.Handler](16) // nolint:all
 
 	// Create SSRF protection validator
-	validator, err := NewAllowlistValidator(config.enableSSRFProtection, config.inferencePoolNamespace, config.inferencePoolName)
+	validator, err := NewAllowlistValidator(config.EnableSSRFProtection, config.InferencePoolNamespace, config.InferencePoolName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create SSRF protection validator: %w", err)
 	}
@@ -165,7 +165,13 @@ func (s *Server) Start(ctx context.Context) error {
 	// Configure handlers
 	mux := s.createRoutes()
 
-	server := &http.Server{Handler: mux}
+	server := &http.Server{
+		Handler: mux,
+		// No ReadTimeout/WriteTimeout for LLM inference - can take hours for large contexts
+		IdleTimeout:       300 * time.Second, // 5 minutes for keep-alive connections
+		ReadHeaderTimeout: 30 * time.Second,  // Reasonable for headers only
+		MaxHeaderBytes:    1 << 20,           // 1 MB for headers is sufficient
+	}
 
 	// Create TLS certificates
 	if s.config.SecureProxy {
@@ -181,6 +187,15 @@ func (s *Server) Start(ctx context.Context) error {
 		}
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS12,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			},
 		}
 		logger.Info("server TLS configured")
 	}
@@ -233,6 +248,15 @@ func (s *Server) createRoutes() *http.ServeMux {
 		decoderProxy.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: s.config.DecoderInsecureSkipVerify,
+				MinVersion:         tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				},
 			},
 		}
 	}
@@ -273,6 +297,15 @@ func (s *Server) prefillerProxyHandler(hostPort string) (http.Handler, error) {
 		newProxy.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
 				InsecureSkipVerify: s.config.PrefillerInsecureSkipVerify,
+				MinVersion:         tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+				},
 			},
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,9 @@ func main() {`
`91`	`91`	`CertPath: *certPath,`
`92`	`92`	`PrefillerInsecureSkipVerify: *prefillerInsecureSkipVerify,`
`93`	`93`	`DecoderInsecureSkipVerify: *decoderInsecureSkipVerify,`
	`94`	`+ EnableSSRFProtection: *enableSSRFProtection,`
	`95`	`+ InferencePoolNamespace: *inferencePoolNamespace,`
	`96`	`+ InferencePoolName: *inferencePoolName,`
`94`	`97`	`}`
`95`	`98`
`96`	`99`	`proxy, err := proxy.NewProxy(*port, targetURL, config)`
Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ func (s Server) runNIXLProtocolV1(w http.ResponseWriter, r http.Request, prefi`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`// 2. Forward request to prefiller`
`93`		`- s.logger.Info("sending request to prefiller", "hostPort", prefillPodHostPort, "body", string(pbody))`
	`93`	`+ s.logger.V(5).Info("sending request to prefiller", "hostPort", prefillPodHostPort, "body", string(pbody))`
`94`	`94`	`pw := &bufferedResponseWriter{}`
`95`	`95`	`prefillHandler.ServeHTTP(pw, preq)`
`96`	`96`