Haproxy 在高流量下崩溃

Haproxy 在高流量下崩溃

我在 HAProxy 配置方面遇到了一些问题。我一直在尝试让它更能抵御高服务器负载和拒绝服务。然而,我觉得它工作得很好,直到我突然成为 (D)DoS 攻击的受害者 - Haproxy 报告后端已关闭,尽管我仍然可以通过直接端口正常访问它。

有人可以检查我的 HAProxy 配置,看看是否有什么地方我搞错了或者为什么我会遇到这种情况..我似乎无法理解为什么会发生这种情况。

提前致谢(当然,事后也致谢)。

全球的

    # Global Max Connections
        maxconn                                 20000
        # Various Other Settings
        pidfile                                 /var/run/haproxy.pid
        stats socket                            /var/run/haproxy.stat mode 600 level admin
        stats timeout                           5m
        chroot                                  /usr/share/haproxy
        daemon
        # User Settings
        user                                    haproxy
        group                                   haproxy

defaults
        # Default configuration settings for Haproxy
        retries                                 2
        maxconn                                 19500
        timeout server                          10s
        timeout client                          10s
        timeout queue                           10s
        timeout connect                         10s
        timeout http-request                    10s
        # Error files
        errorfile 503 /etc/phpconf/haErrors/503.http

frontend Connection_Handler
        default_backend Primary
        bind :80
        mode                                    http
        option                                  forwardfor
        option                                  http-server-close
        maxconn                                 20000
        # Check if cookie exists
        #acl cookie_set hdr_sub(cookie) authorized=1
        # If cookie doesn't exist try and set it
        #redirect prefix * set-cookie authorized=1 if !cookie_set

        # If the cookie is still not set, send it to blocked backend
        #use_backend Cookie_Block if !cookie_set

        ## (D)DoS Mitigation ##
        # Setup stick table
        stick-table type ip size 1m expire 10m store gpc0
        # Configure the DoS src
        acl src_DoS src_get_gpc0(Connection_Handler) gt 0
        # Use DoS tarpit if src_DoS
        use_backend DoS_Tarpit if src_DoS
        # If not blocked, track the connection
        tcp-request connection track-sc1 src if ! src_DoS

listen Statistics_Engine
        mode http
        bind                                    XX.XXX.XX.XX:9012
        stats                                   enable
        stats uri                               /admin?stats=true

        stats auth                              admin:Password
        stats hide-version
        stats refresh 2s
        #stats scope # Add this option to provide stats for a singular backend

backend Primary
        # Option Configs
        option                                  httpclose
        option                                  redispatch
        option                                  abortonclose

        ## (D)DoS Mitigation ##
        # The following table is recording the IP, connection rate and bytes out rate
        stick-table type ip size 200k expire 10s store conn_rate(5s)

        # Track request and enforce rules
        tcp-request content track-sc2 src
        # Mark as abuse if exceeding connection rate
        acl conn_rate_abuse sc2_conn_rate gt 80
        # Mark as abuse if over X bytes
        acl data_rate_abuse sc2_bytes_out_rate gt 200000

        # Set ACL rule to enforce on frontend
        acl mark_as_DoS sc1_inc_gpc0 gt 0
        # Block connections marked as DoS
        tcp-request content reject if conn_rate_abuse mark_as_DoS
        #tcp-request content reject if data_rate_abuse mark_as_DoS

        # Configure Server
        mode http
        option forwardfor
        server Primary_HTTP 0.0.0.0:1080 check addr 127.0.0.1 port 80 inter 3000 rise 2 fall 3 maxconn 20000
        #fullconn 1024

backend Conn_Tarpit
        # Tarpit for connections
        mode http
        timeout tarpit 20s
        reqitarpit .
        errorfile 503 /etc/phpconf/haErrors/tarpit_503.txt

backend Cookie_Block
        # Block connections that will not take on a cookie
        mode http
        reqdeny .
        errorfile 503 /etc/phpconf/haErrors/503_cookie.txt

backend DoS_Tarpit

        # Tarpit for suspected attacks
        log 127.0.0.1 local1 info
        timeout tarpit 10s # Tarpit for 10 seconds
        errorfile 500 /etc/phpconf/haErrors/500_DoS.txt
        mode http
        reqitarpit .

答案1

我发现您的配置中没有明显错误,您似乎已经正确调整了设置(尤其是 maxconn)。此机器上是否加载了 conntrack?连接表可能已满,从而阻止检查和与服务器建立连接。

另外,您是否检查过有多少并发连接发送到服务器?服务器可能由于负载而交替启动和关闭。

检查内核日志消息是否存在任何意外错误。

相关内容