Hi,
Your timeouts are too long:
timeout client 1020000
timeout server 1020000
This one sounds good:
timeout http-request 6000
As far as I understand, your application is not compatible with
slowloris protection :)
cheers
On Tue, Oct 2, 2012 at 12:38 PM, William Lewis <[email protected]> wrote:
> Hi,
>
> I'm trying to protect a clustered webservice written on a java stack from
> slow read http attacks
> (https://community.qualys.com/blogs/securitylabs/2012/01/05/slow-read) by
> configuring haproxy in front of the cluster to protect it.
>
> I'm having some difficulty crafting the correct options and hope someone can
> provide some suggestions.
>
>
> Things to note:
>
> * The service is consumed by mobile devices from differing quality gsm to
> wifi networks globally
> * Groups of devices might originate from the same ip address, carrier
> proxies or opera / blackberry proxies
> * The service makes use of comet style long polling requests to push
> updates to the client, and so has a long connection timeout
>
>
> This is my base config
>
>
> global
> daemon
> quiet
> maxconn 200000
> pidfile /local/haproxy/haproxy.pid
> uid 60003
> gid 1001
> chroot /local/haproxy
> log 127.0.0.1 local0
> log 127.0.0.1 local1 notice
> log-tag wapproxy
>
> defaults
> log global
>
> balance roundrobin
> mode http
> monitor-uri /wapproxy
> http-check send-state
> rate-limit sessions 200
>
> retries 3
>
> timeout connect 6000
> timeout client 1020000
> timeout server 1020000
> timeout http-request 6000
>
> option abortonclose
> option forwardfor except 127.0.0.1
> option http-pretend-keepalive
> option http-server-close
> option httplog
> option log-health-checks
> option log-separate-errors
> option redispatch
> option tcpka
> option splice-auto
>
> errorfile 200 /local/haproxy/errorfiles/200.http
> errorfile 400 /local/haproxy/errorfiles/400.http
> errorfile 403 /local/haproxy/errorfiles/403.http
> errorfile 408 /local/haproxy/errorfiles/408.http
> errorfile 500 /local/haproxy/errorfiles/500.http
> errorfile 502 /local/haproxy/errorfiles/502.http
> errorfile 503 /local/haproxy/errorfiles/503.http
>
> frontend external
> bind *:9000
> bind 127.0.0.1:10000
>
> capture request header User-agent len 45
> capture request header X-Forwarded-For len 15
> capture response header Location len 20
>
> acl is_secure dst_port eq 10000
>
> # Remove X-Proto header added from any external source
> reqidel ^X-Proto:.*
> # Presence of X-Proto: SSL header now genuinely indicates we have
> recieved communication on SSL
> reqadd X-Proto:\ SSL if is_secure
>
> default_backend wap
>
> backend wap
>
> cookie session prefix
>
> server serv1 wap1:8081 cookie A check inter 5000 maxconn 10000
> server serv2 wap2:8081 cookie B check inter 5000 maxconn 10000
>
>
>
> Thanks in advance for any help.
>
> Will
