hello there,
i have updated my very basic DOS mitigation template to work on 1.5.x
and i wanted to get your advice on it and do some crowd control on a
basic one that could perhaps feed a wiki or a doc somewhere as the very
basic template for DOS mitigation for 1.5.
My previous templates seems to still work but generate lots of warning
with the 1.5 final so here is the one i use in test right now and all
my simple "ab" test seems to work with it:
The system is limiting the number of concurent connexions per IP and
number of http request per ip and per 10s period, one limit for the
static and one smaller limit for the dynamic. If you cross one of them
you are flagged for the rest of the 10s and blocked in the frontend.
After 10s you are open again. I was not really sure on the keep alive
part so i use it on both side for static and client side only for
dynamic. It protect only one server here it is more for a reference than
a complete config.
frontend ft_http
mode http
option httplog
capture request header Host len 30
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/ ciphers HIGH:!aNULL:!MD5
option http-keep-alive
timeout client 60s # durée maximale d'inactivitée du
client (lorsque l'on attend des données de sa part)
timeout http-request 5s # fermetture de la connexion si le
client n'a pas envoyé sa requête dans le temps imparti (ici 5 secondes)
option forwardfor
stick-table type ip size 500k expire 30s store
gpc0,http_req_rate(10s),conn_cur
tcp-request connection track-sc1 src
http-request deny if { src_get_gpc0 gt 0 }
# Detect an ApacheKiller-like Attack
acl weirdrangehdr hdr_cnt(Range) gt 10
# Clean up the request
reqidel ^Range if weirdrangehdr
acl contenustatique path_end -i .html .gif .png .jpg
.jpeg
use_backend bk_static if contenustatique
default_backend bk_http
backend bk_http
mode http
option http-server-close
balance roundrobin
timeout server 3600s # durée maximale à attendre pour une
réponse du serveur 3600 pour prestashop..(sic)
timeout connect 5s # durée d'attente pour la connexion TCP
(couvre un TCP retransmit de 3s)
option forwardfor
acl abuse src_http_req_rate(ft_http) ge 1000
acl concur src_conn_cur(ft_http) ge 30
acl flag_abuser src_inc_gpc0(ft_http) gt 0
http-request deny if concur flag_abuser
http-request deny if abuse flag_abuser
server srv 127.0.0.1:8080 maxconn 148 check
backend bk_static
mode http
option http-keep-alive
balance roundrobin
timeout server 10s
timeout connect 5s
option forwardfor
acl bigabuse src_http_req_rate(ft_http) ge 2000
acl bigconcur src_conn_cur(ft_http) ge 60
acl flag_abuser src_inc_gpc0(ft_http) gt 0
http-request deny if bigconcur flag_abuser
http-request deny if bigabuse flag_abuser
server srv 127.0.0.1:8080 maxconn 148 check
Tell me what you think of it, hope it help some people and generate also
some feedback if i made mistakes :)
I have been been testing it on 1.5.1.
best regards,
Ghislain.
