On Sat, Mar 9, 2019 at 10:45 AM DHAVAL JAISWAL <dhava...@gmail.com> wrote:
> frontend loadbalancer_mycom
> bind 10.100.22.30:80
> mode http
>
> redirect scheme https if !{ ssl_fc }If this line is the one that makes the redirect (and exposes the internal IP in case of HTTP/1.0) then you can't fix it as it's part of HAProxy internal code. Perhaps you should use: redirect location https://mysite.com%[path] if !{ ssl_fc } Additionally if you don't know beforehand the name of the domain you could just deny all requests that don't have the `Host` header like so (put before the `redirect` statement) (this basically breaks HTTP/1.0): acl has_host req.hdr(Host) -m found http-request deny if !has_host redirect scheme https ... [I've also included some other hints based on your config.] > global > maxconn 20000 # Total Max Connections. This is dependent on ulimit > [...] > defaults > maxconn 25000 The number from `defaults` should be less than the number in `global` (I think; double-check the documentation.) > nbproc 8 # Number of processing cores. Dual Dual-core Opteron is 4 cores for > example. Perhaps you should move to threads instead of processes, especially in latest versions of HAProxy. > log /dev/log local1 info > log /dev/log local1 notice Isn't the log duplicated? (You can use only one line.) > defaults > timeout connect 1200000 > timeout client 1200000 > timeout server 1200000 > timeout http-request 1200000 > timeout tarpit 1200000 The timeouts are too "permissive" (2 minutes, especially for `client` and `http-request`) and would easily allow an DoS attack by just opening the connection and just idling for 2 minutes or slowly writing the HTTP request for 2 minutes. > backend my_cluster_mycom] > [...] > fullconn 10000 > #server server0320 10.100.3.20:8080 weight 1 maxconn 512 check cookie t0320 > check port 8080 inter 10s rise 3 fall 3 minconn 500 maxconn 3000 maxqueue 300 > slowstart 15s > #server server3320 10.100.33.20:8080 weight 1 maxconn 512 check cookie t3320 > check port 8080 inter 10s rise 3 fall 3 minconn 500 maxconn 3000 maxqueue 300 > slowstart 15s You have two `maxconn` in the server lines. (Although the servers seem commented...) > compression algo gzip > compression type text/html text/plain text/css image/png image/gif image/jpeg > application/x-javascript text/xml application/xml application/xhtml+xml > application/x application/javascipt image/jpg I think it's useless to compress images, especially JPEG (but also perhaps PNG and GIF). > timeout client 500000 I think you are really opening yourself to an DoS attack. :) (~8 minutes is plenty to just eat your connections...) If you set such large timeouts, then perhaps you should also try to limit the number of connections per the same IP / network. (Use stick tables for this or `iptables` rules.) Ciprian.
