Jonathan, Correct me if I'm wrong but:
The httpchk is sourced from HAProxy as an application level health check so how can it be effected by a client request? If a client gets a 404 then HAProxy doesn't really care (it just passes on the 404). I am quite often very wrong though.. :-). On 7 March 2012 14:40, Jonathan Matthews <[email protected]> wrote: > Hi all - > > It seems to me that there's a trivial DoS available whenever "observe > layer7" is enabled if, as I'm imagining, the set of acceptable > response codes for "observe layer7" is derived from those configured > for the "httpchk". > Please could someone suggest either what I'm assuming wrongly, or how > to mitigate against this. > > I need to run with the defaults: a health check must not respond with > a 4xx or 5xx. This is to guard against a back-end server bombing (5xx) > or someone making a deployment-time error and either removing the > health check code (404) or perhaps removing the host header > configuration from the origin server (400). Don't say that last one > won't happen - it just did ;-) > > If I do run in this mode, then (what I perceive as) the lack of > configurability around the acceptable response codes for "observe > layer7" means that anyone can DoS me: just repeatedly hit a > non-existent page and force a 404 to be served, thereby taking my > back-end servers out, one by one. > > What am I missing? Is there a way to say "httpchk must not be 4xx or > 5xx; observe-layer7 only catches 5xx"? > > I'm aware of "observe layer4", of course. This is unhelpful in this > scenario, as we're vhosting to a single IP on the origin servers. It > will only guard against the entire HTTPd dying - not a specific vhost > having problems. > > Any ideas? > Cheers, > Jonathan > > PS Thanks to all involved for HAProxy - an awesome bit of kit :-) > -- > Jonathan Matthews > London, UK > http://www.jpluscplusm.com/contact.html > -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/
