Hi,
Is there a timeout setting in HAproxy that can help protect against slow
HTTP POST queries ?
I'm not talking about "slow loris" type attacks (where the client sleeps
between request headers) but "slow HTTP POST" (where the client sleeps
between POST data lines).
Here is an example :
- Test 1 :
root@proxy1>: telnet localhost 85
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /test HTTP/1.1
Host: host.domain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Type: application/json; charset=utf-8
Content-Length: 1234
test
<<wait 30 seconds>>
HTTP/1.1 408 Request Time-out
Date: Wed, 03 Feb 2016 13:03:30 GMT
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>408 Request Time-out</title>
</head><body>
<h1>Request Time-out</h1>
<p>Server timeout waiting for the HTTP request from the client.</p>
</body></html>
Connection closed by foreign host.
- Test 2 :
Here we send the POST body very slowly (line by line, wait 10 seconds
between each line).
root@proxy1>: telnet localhost 85
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /test HTTP/1.1
Host: host.domain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Type: application/json; charset=utf-8
Content-Length: 1234
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 30 seconds>>
Connection closed by foreign host.
In each case, HAproxy log shows termination flags "SD--" which means the
application server closed the connection.
So, the app server timeouts after 30 seconds, but this duration is reset
each time the client sends data in the POST body.
Is there an option to set a timeout on this part of the request ? It
should be similar to "timeout http-request" but work against the request
body, instead of the request headers.
We already have these settings, but none of them seems to act against
HTTP POST content (I was able to stay connected while sending HTTP POST
content for 5+ minutes) :
timeout connect 5s
timeout http-request 12s
timeout queue 180s
timeout client 180s
timeout server 180s
timeout http-keep-alive 10s
timeout tarpit 30s
Best regards,
Sylvain
Is there a timeout setting in HAproxy that can help protect against slow
HTTP POST queries ?
I'm not talking about "slow loris" type attacks (where the client sleeps
between request headers) but "slow HTTP POST" (where the client sleeps
between POST data lines).
Here is an example :
- Test 1 :
root@proxy1>: telnet localhost 85
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /test HTTP/1.1
Host: host.domain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Type: application/json; charset=utf-8
Content-Length: 1234
test
<<wait 30 seconds>>
HTTP/1.1 408 Request Time-out
Date: Wed, 03 Feb 2016 13:03:30 GMT
Content-Length: 223
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>408 Request Time-out</title>
</head><body>
<h1>Request Time-out</h1>
<p>Server timeout waiting for the HTTP request from the client.</p>
</body></html>
Connection closed by foreign host.
- Test 2 :
Here we send the POST body very slowly (line by line, wait 10 seconds
between each line).
root@proxy1>: telnet localhost 85
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST /test HTTP/1.1
Host: host.domain.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Content-Type: application/json; charset=utf-8
Content-Length: 1234
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 10 seconds>>
test
<<wait 30 seconds>>
Connection closed by foreign host.
In each case, HAproxy log shows termination flags "SD--" which means the
application server closed the connection.
So, the app server timeouts after 30 seconds, but this duration is reset
each time the client sends data in the POST body.
Is there an option to set a timeout on this part of the request ? It
should be similar to "timeout http-request" but work against the request
body, instead of the request headers.
We already have these settings, but none of them seems to act against
HTTP POST content (I was able to stay connected while sending HTTP POST
content for 5+ minutes) :
timeout connect 5s
timeout http-request 12s
timeout queue 180s
timeout client 180s
timeout server 180s
timeout http-keep-alive 10s
timeout tarpit 30s
Best regards,
Sylvain