Thanks for the tip! On Sat, Mar 9, 2019 at 2:51 PM Ciprian Dorin Craciun < [email protected]> wrote:
> On Sat, Mar 9, 2019 at 10:45 AM DHAVAL JAISWAL <[email protected]> wrote: > > frontend loadbalancer_mycom > > bind 10.100.22.30:80 > > mode http > > > > redirect scheme https if !{ ssl_fc } > > > If this line is the one that makes the redirect (and exposes the > internal IP in case of HTTP/1.0) then you can't fix it as it's part of > HAProxy internal code. > > Perhaps you should use: > > redirect location https://mysite.com%[path] if !{ ssl_fc } > > > Additionally if you don't know beforehand the name of the domain you > could just deny all requests that don't have the `Host` header like so > (put before the `redirect` statement) (this basically breaks > HTTP/1.0): > > acl has_host req.hdr(Host) -m found > http-request deny if !has_host > redirect scheme https ... > > > > [I've also included some other hints based on your config.] > > > global > > maxconn 20000 # Total Max Connections. This is dependent on ulimit > > [...] > > defaults > > maxconn 25000 > > The number from `defaults` should be less than the number in `global` > (I think; double-check the documentation.) > > > > > nbproc 8 # Number of processing cores. Dual Dual-core Opteron is 4 cores > for example. > > Perhaps you should move to threads instead of processes, especially in > latest versions of HAProxy. > > > > > log /dev/log local1 info > > log /dev/log local1 notice > > Isn't the log duplicated? (You can use only one line.) > > > > > defaults > > timeout connect 1200000 > > timeout client 1200000 > > timeout server 1200000 > > timeout http-request 1200000 > > timeout tarpit 1200000 > > > The timeouts are too "permissive" (2 minutes, especially for `client` > and `http-request`) and would easily allow an DoS attack by just > opening the connection and just idling for 2 minutes or slowly writing > the HTTP request for 2 minutes. > > > > > backend my_cluster_mycom] > > [...] > > fullconn 10000 > > #server server0320 10.100.3.20:8080 weight 1 maxconn 512 check cookie > t0320 check port 8080 inter 10s rise 3 fall 3 minconn 500 maxconn 3000 > maxqueue 300 slowstart 15s > > #server server3320 10.100.33.20:8080 weight 1 maxconn 512 check cookie > t3320 check port 8080 inter 10s rise 3 fall 3 minconn 500 maxconn 3000 > maxqueue 300 slowstart 15s > > > You have two `maxconn` in the server lines. (Although the servers > seem commented...) > > > > > compression algo gzip > > compression type text/html text/plain text/css image/png image/gif > image/jpeg application/x-javascript text/xml application/xml > application/xhtml+xml application/x application/javascipt image/jpg > > > I think it's useless to compress images, especially JPEG (but also > perhaps PNG and GIF). > > > > > timeout client 500000 > > > I think you are really opening yourself to an DoS attack. :) (~8 > minutes is plenty to just eat your connections...) > > If you set such large timeouts, then perhaps you should also try to > limit the number of connections per the same IP / network. (Use stick > tables for this or `iptables` rules.) > > > Ciprian. > -- Thanks & Regards Dhaval Jaiswal
