默认情况下,HAProxy 是否会保护自己免受 TCP SYN 泛洪攻击或 DOS 攻击?如果不是,我该如何保护 HAProxy 负载均衡器免受这些攻击?
最佳答案
不,它没有(如果你有像 examples 这样简单的东西,他们提供或遵循那里的大多数教程)但是 this HAProxy 博客涵盖了 SYN 洪水攻击和一些 DoS 攻击。
您可以使用 sysctl 中的以下设置在内核级别加强您的系统以抵抗 SYN 攻击:
administrator@HAProxyUbuntu:~$ sysctl -a
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 3
可以使用 backlog 参数从 HAProxy 传入 max_syn_backlog 值:
In order to protect against SYN flood attacks, one solution is to increase the system's SYN backlog size. Depending on the system, sometimes it is just tunable via a system parameter, sometimes it is not adjustable at all, and sometimes the system relies on hints given by the application at the time of the listen() syscall. By default, HAProxy passes the frontend's maxconn value to the listen() syscall. On systems which can make use of this value, it can sometimes be useful to be able to specify a different value, hence this backlog parameter.
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-backlog
关于security - HAProxy 是否默认保护自己免受 tcp syn flood 攻击,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46808574/