haproxy to protect apache against Slowloris and Nkiller2 DoS attacks

From: Willy Tarreau <w#1wt.eu>
Date: Sun, 28 Jun 2009 15:58:19 +0200

Hi all,

since I'm seeing worried people everywhere about the "apache vulnerability" as they call it (while it's just a reuse of a well-known weakness), and other people suggesting incomplete haproxy configuration files, I have prepared a generic haproxy configuration file to be installed without too much hassle in front of any server at risk, and I'm posting it here as it should help people find it more easily :


It requires that apache is moved to and that haproxy is installed on pub:80 instead. It does no health check (since some people find it hard to make them work), and it is not a problem because there's only one server.

I have tested it against the Slowloris script and the Nkiller2 tool published in phrack (which is a very interesting method BTW). I have not set any ACL, tarpit nor cookies so that the config remains very basic. But of course it could be extended to detect and block more precise patterns.

Willy Received on 2009/06/28 15:58

This archive was generated by hypermail 2.2.0 : 2009/06/28 16:00 CEST