Le 9/21/21 à 6:00 PM, Stefan Behte a écrit :
Hi Christopher,
thank you for the hint, I'm aware of the different ways to mitigate DDoS with
rate limits etc., I was just curious about the pipelining vector. :)
http://www.haproxy.org/download/2.4/doc/configuration.txt says:
" By default HAProxy operates in keep-alive mode with regards to persistent
connections: for each connection it processes each request and response, and
leaves the connection idle on both sides between the end of a response and
the start of a new request. This mode may be changed by several options such
as "option http-server-close" or "option httpclose". Setting "option
http-server-close" enables HTTP connection-close mode on the server side
while keeping the ability to support HTTP keep-alive and pipelining on the
client side."
"1.1. The HTTP transaction model" and " timeout http-keep-alive" also mention
pipelining.
Section 1.1 mainly describes generalities about the HTTP protocol. Only the end
of the section is focused on HAProxy and it is specified it only supports
keep-alive mode, not the pipelining. However, I agree it is pretty confusing
because pipelining is mentioned in "option http-server-close" and "timeout
http-keep-alive" descriptions.
In fact, the ambiguities comes from the fact that HAProxy does not performed any
HTTP pipelining. But the client is free to send several requests in same time.
No error will be triggered. However, the requests will be processed the one
after the other. Thus, HAProxy does not perform any HTTP pipelining but it does
not forbid it.
So I guess I did just misunderstand the documentation and it would be nice to
just clarify it in the docs that haproxy does not support HTTP/1.1 pipelining.
I agree. Pipelining should at least be removed from "option http-server-close"
description. And section 1.1 should be reword to be clear on this point.
--
Christopher Faulet
