Bug 1391585

Summary: [RFE] Include keepalive timeout parameter for slowloris protection on router template
Product: OpenShift Container Platform Reporter: Javier Ramirez <javier.ramirez>
Component: NetworkingAssignee: Jacob Tanenbaum <jtanenba>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: low CC: aos-bugs, bbennett, bmeng, hongli, jtanenba, lxia, yadu
Version: 3.4.0   
Target Milestone: ---   
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: When using the routers slowloris protection in the absense of an explicitly set "timeout http-keep-alive" the router sets it equal to "timeout http-request" which is set very low Consequence: performance is degraded or faulty in situations that does not expect a low keep-alive timeout. Fix: When using slowloris protection with the HAProxy router explicitly set "timeout http-keep-alive" to the default cluster default of 300s if not already set by the cluster administrator. Result: performance is maintained for long running http connections while using slowloris DDoS protection
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-17 10:28:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Javier Ramirez 2016-11-03 15:17:45 UTC 
Description of problem:

While performing some tests, we have found out that "timeout http-request" HAProxy setting, used to prevent slowloris-like attacks, may impact HTTP connections with keep-alive unless "timeout http-keep-alive" is also set with a different value (recommended ones would be ~300s). If "timeout http-request" is set but "timeout http-keep-alive" is not set, the latter defaults to the value of the former, which degrades performance as browsers do not expect such a low timeout for HTTP keep-alive connections. 

Customer already implemented this adding a fragment like this in the "defaults" section:

{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_KEEPALIVE_TIMEOUT" "")) }}
  timeout http-keep-alive {{env "ROUTER_SLOWLORIS_KEEPALIVE_TIMEOUT" "300s" }}
{{ else }}
  timeout http-keep-alive 300s
{{ end }}


Version-Release number of selected component (if applicable):
openshift3/ose-haproxy-router:v3.2.1.17
Comment 1 Ben Bennett 2016-11-03 17:30:44 UTC 
Is this a concern with the way we have implemented it?

We have:

{{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_TIMEOUT" "")) }}
  timeout http-request {{env "ROUTER_SLOWLORIS_TIMEOUT" "10s" }}
{{ else }}
  timeout http-request 10s
{{ end }}

Today.
Comment 2 Sergi Jimenez Romero 2017-02-13 15:30:44 UTC 
Hi,

any update on this? I could make a PR for it myself, if that helps.

Customer reported concern about having `http-request` without having the possibility for customising `http-keep-alive` as they've already run some tests and it resulted on bad performance.

Cheers,
Sergi.
Comment 3 Ben Bennett 2017-02-13 18:42:46 UTC 
Sergi: No update yet, but we'll take a look soon.
Comment 4 openshift-github-bot 2017-03-07 17:04:53 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/7bfc0b92bf0fa143db79b663f7351ed7bebbeb98
add timeout http-keep-alive to the router template

a customer reported that when using "timeout http-request" for slowloris
protection it can impact connections with keep-alive. The HAProxy router
sets "timeout http-keep-alive" to "timeout http-request" when the former
is set and the latter is not and that can degrade the performance of browsers
that do not expect such a low timeout for HTTP keep-alive connections.

I added this timeout in commit: 527899eda and it was removed in
commit: a41ce2c. It looks like the removal was an oversight.

Bug 1391585
Comment 6 Ben Bennett 2017-08-29 15:13:19 UTC 
This released with 3.6
Comment 8 Hongan Li 2019-04-25 05:53:48 UTC 
verified with atomic-openshift-3.6.173.0.162-1.git.0.62b7b39.el7 and issue has been fixed.

### haproxy.config
  timeout http-request 10s
  timeout http-keep-alive 300s

### haproxy-config.template
{{- if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_TIMEOUT" "")) }}
  timeout http-request {{env "ROUTER_SLOWLORIS_TIMEOUT" "10s" }}
{{- else }}
  timeout http-request 10s
{{- end }}
{{- if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_HTTP_KEEPALIVE" "")) }}
  timeout http-keep-alive {{env "ROUTER_SLOWLORIS_HTTP_KEEPALIVE" "" }}
{{- else }}
  timeout http-keep-alive 300s
{{- end }}
Comment 10 errata-xmlrpc 2019-06-17 10:28:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0792