Hi all - It seems to me that there's a trivial DoS available whenever "observe layer7" is enabled if, as I'm imagining, the set of acceptable response codes for "observe layer7" is derived from those configured for the "httpchk". Please could someone suggest either what I'm assuming wrongly, or how to mitigate against this.
I need to run with the defaults: a health check must not respond with a 4xx or 5xx. This is to guard against a back-end server bombing (5xx) or someone making a deployment-time error and either removing the health check code (404) or perhaps removing the host header configuration from the origin server (400). Don't say that last one won't happen - it just did ;-) If I do run in this mode, then (what I perceive as) the lack of configurability around the acceptable response codes for "observe layer7" means that anyone can DoS me: just repeatedly hit a non-existent page and force a 404 to be served, thereby taking my back-end servers out, one by one. What am I missing? Is there a way to say "httpchk must not be 4xx or 5xx; observe-layer7 only catches 5xx"? I'm aware of "observe layer4", of course. This is unhelpful in this scenario, as we're vhosting to a single IP on the origin servers. It will only guard against the entire HTTPd dying - not a specific vhost having problems. Any ideas? Cheers, Jonathan PS Thanks to all involved for HAProxy - an awesome bit of kit :-) -- Jonathan Matthews London, UK http://www.jpluscplusm.com/contact.html
