On Thu, Feb 4, 2016 at 9:44 AM, Sylvain Faivre <[email protected]> wrote: > Hi, > > Is there a timeout setting in HAproxy that can help protect against slow > HTTP POST queries ? > > I'm not talking about "slow loris" type attacks (where the client sleeps > between request headers) but "slow HTTP POST" (where the client sleeps > between POST data lines). > > Here is an example : > > - Test 1 : > > root@proxy1>: telnet localhost 85 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > POST /test HTTP/1.1 > Host: host.domain.com > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) > Content-Type: application/json; charset=utf-8 > Content-Length: 1234 > > test > > <<wait 30 seconds>> > > HTTP/1.1 408 Request Time-out > Date: Wed, 03 Feb 2016 13:03:30 GMT > Content-Length: 223 > Content-Type: text/html; charset=iso-8859-1 > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> > <html><head> > <title>408 Request Time-out</title> > </head><body> > <h1>Request Time-out</h1> > <p>Server timeout waiting for the HTTP request from the client.</p> > </body></html> > Connection closed by foreign host. > > > - Test 2 : > > Here we send the POST body very slowly (line by line, wait 10 seconds > between each line). > > root@proxy1>: telnet localhost 85 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > POST /test HTTP/1.1 > Host: host.domain.com > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) > Content-Type: application/json; charset=utf-8 > Content-Length: 1234 > > test > <<wait 10 seconds>> > test > <<wait 10 seconds>> > test > <<wait 10 seconds>> > test > <<wait 10 seconds>> > test > <<wait 10 seconds>> > test > <<wait 10 seconds>> > test > <<wait 30 seconds>> > Connection closed by foreign host. > > > In each case, HAproxy log shows termination flags "SD--" which means the > application server closed the connection. > > So, the app server timeouts after 30 seconds, but this duration is reset > each time the client sends data in the POST body. > > Is there an option to set a timeout on this part of the request ? It should > be similar to "timeout http-request" but work against the request body, > instead of the request headers. > > We already have these settings, but none of them seems to act against HTTP > POST content (I was able to stay connected while sending HTTP POST content > for 5+ minutes) : > > timeout connect 5s > timeout http-request 12s > timeout queue 180s > timeout client 180s > timeout server 180s > timeout http-keep-alive 10s > timeout tarpit 30s > > > Best regards, > > Sylvain >
Hi, please run the same test against HAProxy 1.6 and enable "option buffer-http-request": http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#4-option%20http-buffer-request Then your timeout http-request will also match the POSTed data. Baptiste
