Protect your web server against slowloris

This configuration is meant to be installed in front of an existing web server that needs some DoS protection. We assume that the web server has been moved to port 8080 on the loopback, and that haproxy is running on port 80. Note that Apache will have to be configured to get the client’s IP address from the X-Forwarded-For header (mod_rpaf can do that).

global
	daemon
	maxconn 20000        # count about 1 GB per 20000 connections
	pidfile /var/run/haproxy.pid
        stats socket /var/run/haproxy.stat mode 600

defaults
	mode http
	maxconn 19500        # Should be slightly smaller than global.maxconn.
	timeout client 60s   # Client and server timeout must match the longest
	timeout server 60s   # time we may wait for a response from the server.
	timeout queue  60s   # Don't queue requests too long if saturated.
	timeout connect 4s   # There's no reason to change this one.
	timeout http-request 5s	# A complete request may never take that long.
	# Uncomment the following one to protect against nkiller2. But warning!
	# some slow clients might sometimes receive truncated data if last
	# segment is lost and never retransmitted :
	# option nolinger
	option httpclose
	option abortonclose
	balance roundrobin
	option forwardfor    # set the client's IP in X-Forwarded-For.
	retries 2

frontend public
	bind :80             # or any other IP:port combination we listen to.
	default_backend apache

backend apache
	# set the maxconn parameter below to match Apache's MaxClients minus
	# one or two connections so that you can still directly connect to it.
	server srv 127.0.0.1:8080 maxconn 254

# Enable the stats page on a dedicated port (8888). Monitoring request errors
# on the frontend will tell us how many potential attacks were blocked.
listen stats
        # Uncomment "disabeled" below to disable the stats page :
	# disabled
	bind       :8888
	stats uri /

Source : http://haproxy.1wt.eu/download/1.3/examples/antidos.cfg

Advertisement