Add rate limiting, connection limits, and timeout hardening
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m33s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m33s
Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -18,6 +18,6 @@ RUN mkdir -p /var/spool/cron/crontabs && \
|
||||
chown root:crontab /var/spool/cron/crontabs/root
|
||||
EXPOSE 80 443 8000
|
||||
# Add health check
|
||||
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
|
||||
CMD curl -f http://localhost:8000/health || exit 1
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
|
||||
CMD curl -sf --max-time 5 http://localhost:8000/health && curl -s --max-time 5 -o /dev/null http://localhost/ || exit 1
|
||||
CMD ["/haproxy/scripts/start-up.sh"]
|
||||
Reference in New Issue
Block a user