Haproxy在高容量下坠落

我遇到了一些HAProxyconfiguration问题。 我一直在玩它，试图让它更适应高服务器负载和拒绝服务。 然而，我觉得它工作的很好，直到突然之间，我是一个（D）DoS攻击的受害者 – Haproxy报告后端下降，即使我仍然可以通过直接端口访问它。

有人可以检查我的HAProxyconfiguration，看看是否有什么地方我搞砸了，或者为什么我会遇到这个..我似乎无法理解为什么会发生这种情况。

在此先感谢（当然之后）。

全球

• haproxy httpchk在后台进行多重检查
• HAProxy SSL连接
• 在haproxy的响应头文件中包含后端名称/ IP
• HAProxy路由https SNI和http通过相同的端口
• 与子域设置Haproxy设置

# Global Max Connections maxconn 20000 # Various Other Settings pidfile /var/run/haproxy.pid stats socket /var/run/haproxy.stat mode 600 level admin stats timeout 5m chroot /usr/share/haproxy daemon # User Settings user haproxy group haproxy defaults # Default configuration settings for Haproxy retries 2 maxconn 19500 timeout server 10s timeout client 10s timeout queue 10s timeout connect 10s timeout http-request 10s # Error files errorfile 503 /etc/phpconf/haErrors/503.http frontend Connection_Handler default_backend Primary bind :80 mode http option forwardfor option http-server-close maxconn 20000 # Check if cookie exists #acl cookie_set hdr_sub(cookie) authorized=1 # If cookie doesn't exist try and set it #redirect prefix * set-cookie authorized=1 if !cookie_set # If the cookie is still not set, send it to blocked backend #use_backend Cookie_Block if !cookie_set ## (D)DoS Mitigation ## # Setup stick table stick-table type ip size 1m expire 10m store gpc0 # Configure the DoS src acl src_DoS src_get_gpc0(Connection_Handler) gt 0 # Use DoS tarpit if src_DoS use_backend DoS_Tarpit if src_DoS # If not blocked, track the connection tcp-request connection track-sc1 src if ! src_DoS listen Statistics_Engine mode http bind XX.XXX.XX.XX:9012 stats enable stats uri /admin?stats=true stats auth admin:Password stats hide-version stats refresh 2s #stats scope # Add this option to provide stats for a singular backend backend Primary # Option Configs option httpclose option redispatch option abortonclose ## (D)DoS Mitigation ## # The following table is recording the IP, connection rate and bytes out rate stick-table type ip size 200k expire 10s store conn_rate(5s) # Track request and enforce rules tcp-request content track-sc2 src # Mark as abuse if exceeding connection rate acl conn_rate_abuse sc2_conn_rate gt 80 # Mark as abuse if over X bytes acl data_rate_abuse sc2_bytes_out_rate gt 200000 # Set ACL rule to enforce on frontend acl mark_as_DoS sc1_inc_gpc0 gt 0 # Block connections marked as DoS tcp-request content reject if conn_rate_abuse mark_as_DoS #tcp-request content reject if data_rate_abuse mark_as_DoS # Configure Server mode http option forwardfor server Primary_HTTP 0.0.0.0:1080 check addr 127.0.0.1 port 80 inter 3000 rise 2 fall 3 maxconn 20000 #fullconn 1024 backend Conn_Tarpit # Tarpit for connections mode http timeout tarpit 20s reqitarpit . errorfile 503 /etc/phpconf/haErrors/tarpit_503.txt backend Cookie_Block # Block connections that will not take on a cookie mode http reqdeny . errorfile 503 /etc/phpconf/haErrors/503_cookie.txt backend DoS_Tarpit # Tarpit for suspected attacks log 127.0.0.1 local1 info timeout tarpit 10s # Tarpit for 10 seconds errorfile 500 /etc/phpconf/haErrors/500_DoS.txt mode http reqitarpit .