Protecting against slow HTTP POST queries

Thu, 04 Feb 2016 00:45:27 -0800 

Hi,
Is there a timeout setting in HAproxy that can help protect against slow HTTP POST queries ? 


I'm not talking about "slow loris" type attacks (where the client sleeps 
between request headers) but "slow HTTP POST" (where the client sleeps 
between POST data lines).


Here is an example :

- Test 1 :

root@proxy1>: telnet localhost 85
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /test HTTP/1.1
Host: host.domain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Type: application/json; charset=utf-8
Content-Length: 1234

test

<<wait 30 seconds>>

HTTP/1.1 408 Request Time-out
Date: Wed, 03 Feb 2016 13:03:30 GMT
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>408 Request Time-out</title>
</head><body>
<h1>Request Time-out</h1>
<p>Server timeout waiting for the HTTP request from the client.</p>
</body></html>
Connection closed by foreign host.


- Test 2 :


Here we send the POST body very slowly (line by line, wait 10 seconds 
between each line).


root@proxy1>: telnet localhost 85
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /test HTTP/1.1
Host: host.domain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Type: application/json; charset=utf-8
Content-Length: 1234

test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 30 seconds>>
Connection closed by foreign host.



In each case, HAproxy log shows termination flags "SD--" which means the 
application server closed the connection.



So, the app server timeouts after 30 seconds, but this duration is reset 
each time the client sends data in the POST body.



Is there an option to set a timeout on this part of the request ? It 
should be similar to "timeout http-request" but work against the request 
body, instead of the request headers.



We already have these settings, but none of them seems to act against 
HTTP POST content (I was able to stay connected while sending HTTP POST 
content for 5+ minutes) :


    timeout connect             5s
    timeout http-request        12s
    timeout queue               180s
    timeout client              180s
    timeout server              180s
    timeout http-keep-alive     10s
    timeout tarpit              30s


Best regards,

Sylvain























					Reply via email to