diff --git a/install_config/install/deploy_router.adoc b/install_config/install/deploy_router.adoc index 415d8b3d2c18..3fd9b4645703 100644 --- a/install_config/install/deploy_router.adoc +++ b/install_config/install/deploy_router.adoc @@ -1113,6 +1113,72 @@ If you used a non-default name for the router, you must change *_dc/router_* accordingly. +[[deploy-router-protecting-against-ddos-attacks]] +=== Protecting Against DDoS Attacks + +Add *timeout http-request* to the default HAProxy router image to +protect the deployment against distributed denial-of-service (DDoS) attacks (for +example, slowloris): + +==== +---- +# and the haproxy stats socket is available at /var/run/haproxy.stats +global + stats socket ./haproxy.stats level admin + +defaults + option http-server-close + mode http + timeout http-request 5s + timeout connect 5s <1> + timeout server 10s + timeout client 30s +---- +<1> *timeout http-request* is set up to 5 seconds. HAProxy gives a client 5 seconds + *to send its whole HTTP request. Otherwise, HAProxy shuts the connection with + *an error. +==== + +Also, when the environment variable `*ROUTER_SLOWLORIS_TIMEOUT*` is set, it +limits the amount of time a client has to send the whole HTTP request. +Otherwise, HAProxy will shut down the connection. + +Setting the environment variable allows information to be captured as part +of the router's deployment configuration and does not require manual +modification of the template, whereas manually adding the HAProxy setting +requires you to rebuild the router pod and maintain your router template file. + +Using annotations implements basic DDoS protections in the HAProxy template +router, including the ability to limit the: + +* number of concurrent TCP connections +* rate at which a client can request TCP connections +* rate at which HTTP requests can be made + +These are enabled on a per route basis because applications can have extremely +different traffic patterns. + +.HAProxy Template Router Settings +[cols="2",options="header"] +|=== + +|Setting |Description + +|`*haproxy.router.openshift.io/rate-limit-connections*` +|Enables the settings be configured (when set to *true*, for example). + +|`*haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp*` +|The number of concurrent TCP connections that can be made by the same IP +address on this route. + +|`*haproxy.router.openshift.io/rate-limit-connections.rate-tcp*` +|The number of TCP connections that can be opened by a client IP. + +|`*haproxy.router.openshift.io/rate-limit-connections.rate-http*` +|The number of HTTP requests that a client IP can make in a 3-second +period. +|=== + [[deploying-customized-router]] == Deploying a Customized HAProxy Router @@ -1287,8 +1353,8 @@ backend be_tcp_{{$cfgIdx}} ==== After this modification, you can xref:rebuilding-your-router[rebuild your router]. -[[rebuilding-your-router]] +[[rebuilding-your-router]] === Rebuilding Your Router After you have made any desired modifications to the template, such as the