Implement HTTP keepalive without killing your apache server

Posted in HAProxy with tags , , , on 2011/03/15 by Hervé COMMOWICK

You can make use of HAProxy to add HTTP keepalive support to your website, and it will not kill your Apache server as each request make use of individual connection.

frontend public
	bind :80             # or any other IP:port combination we listen to.
	option http-server-close
	default_backend apache
backend apache
	# set the maxconn parameter below to match Apache's MaxClients minus
	# one or two connections so that you can still directly connect to it.
	option http-server-close
	server srv 127.0.0.1:8080 maxconn 254

PS: Indeed it works for other HTTP server software.

Leave A Comment »

Send users to the same HTTPS server they used for HTTP

Posted in HAProxy with tags , , , , on 2010/02/08 by Hervé COMMOWICK

Use cookie persistence for HTTP, and stick on source address for HTTPS as well as HTTP without cookie. Share the same table between both accesses.

backend http
    mode http
    balance roundrobin
    stick on src table https
    cookie SRV insert indirect nocache
    server s1 192.168.1.1:80 cookie s1
    server s2 192.168.1.2:80 cookie s2

backend https
    mode tcp
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    server s1 192.168.1.1:443
    server s2 192.168.1.2:443

Source : http://haproxy.1wt.eu/download/1.4/doc/configuration.txt

Leave A Comment »

Forward smtp users to the same server they just used for POP3

Posted in HAProxy with tags , , , , on 2010/02/08 by Hervé COMMOWICK

This example forward SMTP users to the same server they just used for POP in the last 30 minutes

backend pop
    mode tcp
    balance roundrobin
    stick store-request src
    stick-table type ip size 200k expire 30m
    server s1 192.168.1.1:110
    server s2 192.168.1.2:110

backend smtp
    mode tcp
    balance roundrobin
    stick match src table pop
    server s1 192.168.1.1:25
    server s2 192.168.1.2:25

Source : http://haproxy.1wt.eu/download/1.4/doc/configuration.txt

Leave A Comment »

Protect your web server against slowloris

Posted in HAProxy with tags , , , , on 2010/02/05 by Hervé COMMOWICK

This configuration is meant to be installed in front of an existing web server that needs some DoS protection. We assume that the web server has been moved to port 8080 on the loopback, and that haproxy is running on port 80. Note that Apache will have to be configured to get the client’s IP address from the X-Forwarded-For header (mod_rpaf can do that).

global
	daemon
	maxconn 20000        # count about 1 GB per 20000 connections
	pidfile /var/run/haproxy.pid
        stats socket /var/run/haproxy.stat mode 600

defaults
	mode http
	maxconn 19500        # Should be slightly smaller than global.maxconn.
	timeout client 60s   # Client and server timeout must match the longest
	timeout server 60s   # time we may wait for a response from the server.
	timeout queue  60s   # Don't queue requests too long if saturated.
	timeout connect 4s   # There's no reason to change this one.
	timeout http-request 5s	# A complete request may never take that long.
	# Uncomment the following one to protect against nkiller2. But warning!
	# some slow clients might sometimes receive truncated data if last
	# segment is lost and never retransmitted :
	# option nolinger
	option httpclose
	option abortonclose
	balance roundrobin
	option forwardfor    # set the client's IP in X-Forwarded-For.
	retries 2

frontend public
	bind :80             # or any other IP:port combination we listen to.
	default_backend apache

backend apache
	# set the maxconn parameter below to match Apache's MaxClients minus
	# one or two connections so that you can still directly connect to it.
	server srv 127.0.0.1:8080 maxconn 254

# Enable the stats page on a dedicated port (8888). Monitoring request errors
# on the frontend will tell us how many potential attacks were blocked.
listen stats
        # Uncomment "disabeled" below to disable the stats page :
	# disabled
	bind       :8888
	stats uri /

Source : http://haproxy.1wt.eu/download/1.3/examples/antidos.cfg

Leave A Comment »

HAProxy to make SSH and SSL available on the same port

Posted in HAProxy with tags , , , on 2010/02/05 by Hervé COMMOWICK 
listen ssl :443
  tcp-request inspect-delay 2s
  acl is_ssl req_ssl_ver 2:3.1
  tcp-request content accept if is_ssl
  use_backend ssh if !is_ssl
  server www-ssl :444
  timeout client 2h

backend ssh
  mode tcp
  server ssh :22
  timeout server 2h

This listens on port 443, forwards it to port 444 (where the actual SSL web server is listening) unless it is not SSLv2, SSLv3 or TLSv1 traffic, in which case it forwards it to the ssh backend listening on port 22.

Source : https://dgl.cx/2010/01/haproxy-ssh-and-ssl-on-same-port

Leave A Comment »

Follow

Get every new post delivered to your Inbox.