Protecting an HTTP Service Using HAProxy

Running Basic HAProxy Server Tests

First, we need to add 2 entries to the /etc/hosts file on each of our client machines. We need these to point to the private IP address of the HAProxy server:

<HAPROXY SERVER PRIVATE IP>    www.site1.com
<HAPROXY SERVER PRIVATE IP>    www.site2.com

Before we get started with protecting our sites with HAProxy, let's take a look at what a stock HAProxy configuration looks like when presented with a large number of requests.

1. Open the web browser and connect to port 8050 on our public IP/DNS.

2. Get the stats information for our HAProxy installation.

3. Use ApacheBench (ab) to send a total of 100000 requests, with 100 concurrent requests to both www.site1.com and www.site2.com using https on each of our server instances.

   Checking our stats web interface, we can see the traffic coming in from both local instances of ApacheBench.

Defending Against HTTP Flood Attacks

We can set request rate limits to block a single agent by tracking the number or rate of requests from a single client using a stick-table.

1. Edit the /etc/haproxy/haproxy.cfg file:
   • Add a new backend to put our stick-table in.
     • Create a sitck-table to track connections:
       • type ip
       • size 1m
       • expire 10m
       • http_req_rate(10s)
   • Add a line to our frontend block to feed the connection data to the per_ip_rates backend.
   • After the line you just added to your frontend, add a line to start denying requests with an HTTP 429 Too Many Requests response when the counters in the stick-table are over 10 requests per second.
   • Add a line to deny requests with an HTTP 500 Internal Server Error response for agents reporting as curl.
   • Add a line to deny requests with an HTTP 503 Service Unavailable response for agents in the /etc/haproxy/blocked.acl file.
2. Modify the /etc/haproxy/blocked.acl file.
   • Add a line with the private IP address of the Client 2 host.

Before we see what the effects of our changes are, let's reset our stats and restart our ApacheBench instances.

1. Kill ApacheBench on all 3 hosts.
2. Restart the haproxy service.

Test Blocking Requests Based On Rate Limits

1. To test our blocking requests, generate a new batch of traffic on the Client 1 instance only. Use ApacheBench (ab) to send a total of 100000 requests, with 100 concurrent requests to both www.site1.com and www.site2.com using https.
2. Check the stats web interface again and see the effects of our changes.

Test Blocking Requests Using ACLs

We had blocked the curl agent and all requests from the Client 2 instance. Let's check our work!

1. Try using curl on the HAProxy host to load our sites.
2. Try using wget on the HAProxy host to load our sites.
3. Try using wget on the Client 1 host to load our sites.
4. Try using wget on the Client 2 host to load our sites.