Hide Forgot
Description of problem: While performing some tests, we have found out that "timeout http-request" HAProxy setting, used to prevent slowloris-like attacks, may impact HTTP connections with keep-alive unless "timeout http-keep-alive" is also set with a different value (recommended ones would be ~300s). If "timeout http-request" is set but "timeout http-keep-alive" is not set, the latter defaults to the value of the former, which degrades performance as browsers do not expect such a low timeout for HTTP keep-alive connections. Customer already implemented this adding a fragment like this in the "defaults" section: {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_KEEPALIVE_TIMEOUT" "")) }} timeout http-keep-alive {{env "ROUTER_SLOWLORIS_KEEPALIVE_TIMEOUT" "300s" }} {{ else }} timeout http-keep-alive 300s {{ end }} Version-Release number of selected component (if applicable): openshift3/ose-haproxy-router:v3.2.1.17
Is this a concern with the way we have implemented it? We have: {{ if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_TIMEOUT" "")) }} timeout http-request {{env "ROUTER_SLOWLORIS_TIMEOUT" "10s" }} {{ else }} timeout http-request 10s {{ end }} Today.
Hi, any update on this? I could make a PR for it myself, if that helps. Customer reported concern about having `http-request` without having the possibility for customising `http-keep-alive` as they've already run some tests and it resulted on bad performance. Cheers, Sergi.
Sergi: No update yet, but we'll take a look soon.
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/7bfc0b92bf0fa143db79b663f7351ed7bebbeb98 add timeout http-keep-alive to the router template a customer reported that when using "timeout http-request" for slowloris protection it can impact connections with keep-alive. The HAProxy router sets "timeout http-keep-alive" to "timeout http-request" when the former is set and the latter is not and that can degrade the performance of browsers that do not expect such a low timeout for HTTP keep-alive connections. I added this timeout in commit: 527899eda and it was removed in commit: a41ce2c. It looks like the removal was an oversight. Bug 1391585
This released with 3.6
verified with atomic-openshift-3.6.173.0.162-1.git.0.62b7b39.el7 and issue has been fixed. ### haproxy.config timeout http-request 10s timeout http-keep-alive 300s ### haproxy-config.template {{- if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_TIMEOUT" "")) }} timeout http-request {{env "ROUTER_SLOWLORIS_TIMEOUT" "10s" }} {{- else }} timeout http-request 10s {{- end }} {{- if (matchPattern "[1-9][0-9]*(us|ms|s|m|h|d)?" (env "ROUTER_SLOWLORIS_HTTP_KEEPALIVE" "")) }} timeout http-keep-alive {{env "ROUTER_SLOWLORIS_HTTP_KEEPALIVE" "" }} {{- else }} timeout http-keep-alive 300s {{- end }}
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0792