And now I've re-read the section about what "observe layer 7" actually does so I am almost certainly talking rubish....
On 7 March 2012 21:29, Malcolm Turnbull <[email protected]> wrote: > Jonathan, > > Correct me if I'm wrong but: > > The httpchk is sourced from HAProxy as an application level health > check so how can it be effected by a client request? > If a client gets a 404 then HAProxy doesn't really care (it just > passes on the 404). > > I am quite often very wrong though.. :-). > > > > > On 7 March 2012 14:40, Jonathan Matthews <[email protected]> wrote: >> Hi all - >> >> It seems to me that there's a trivial DoS available whenever "observe >> layer7" is enabled if, as I'm imagining, the set of acceptable >> response codes for "observe layer7" is derived from those configured >> for the "httpchk". >> Please could someone suggest either what I'm assuming wrongly, or how >> to mitigate against this. >> >> I need to run with the defaults: a health check must not respond with >> a 4xx or 5xx. This is to guard against a back-end server bombing (5xx) >> or someone making a deployment-time error and either removing the >> health check code (404) or perhaps removing the host header >> configuration from the origin server (400). Don't say that last one >> won't happen - it just did ;-) >> >> If I do run in this mode, then (what I perceive as) the lack of >> configurability around the acceptable response codes for "observe >> layer7" means that anyone can DoS me: just repeatedly hit a >> non-existent page and force a 404 to be served, thereby taking my >> back-end servers out, one by one. >> >> What am I missing? Is there a way to say "httpchk must not be 4xx or >> 5xx; observe-layer7 only catches 5xx"? >> >> I'm aware of "observe layer4", of course. This is unhelpful in this >> scenario, as we're vhosting to a single IP on the origin servers. It >> will only guard against the entire HTTPd dying - not a specific vhost >> having problems. >> >> Any ideas? >> Cheers, >> Jonathan >> >> PS Thanks to all involved for HAProxy - an awesome bit of kit :-) >> -- >> Jonathan Matthews >> London, UK >> http://www.jpluscplusm.com/contact.html >> > > > > -- > Regards, > > Malcolm Turnbull. > > Loadbalancer.org Ltd. > Phone: +44 (0)870 443 8779 > http://www.loadbalancer.org/ -- Regards, Malcolm Turnbull. Loadbalancer.org Ltd. Phone: +44 (0)870 443 8779 http://www.loadbalancer.org/
