Would it be possible to add priority based queuing to haproxy? By this I mean that when a server/backend is full (maxconn), that incoming requests would be added to the queue in a custom order. The idea here is that when the system is under stress, to make sure the important requests get handled first.
In our exact use case, we're looking to use this to help mitigate DOS attacks. The idea is that if a layer 7 attack is saturating the backend servers, we can add logic to prioritize the requests. This logic might be things like requests that have a valid application cookie go to the front of the queue, or requests that come from a cloud provider (e.g. EC2) go to the back of the queue. DOS mitigation is hard because while you can write rules to identify requests that are suspicious, you don't want to block them outright as it is possible they might be legitimate. With prioritization, the requests still get through, and are only affected when the backend is saturated. If maxconn is not reached, the prioritization has no effect at all (since queue is empty). I made the change to haproxy and simulated the conditions in a lab, and the strategy appears to work. The change to haproxy was very minor, ~10 lines in queue.c, using `task->nice` as the prioritization key. However my change is a very rough PoC, and not worthy of submission. So before continuing any further down this route, I wanted to see if this is something that could make it into HAProxy, and what any thoughts on it might be. -Patrick
