LVS and Synproxy
The SYNPROXY module deploys TCP SYN cookies to establish a TCP connection terminated on a third party device located behind the HAProxy ALOHA. It relies on the conntrack module to translate sequence numbers.
The diagram below show how sequence numbers are translated from Y (client to HAProxy ALOHA) to Z (HAProxy ALOHA to server):
In HAProxy ALOHA, the SYNPROXY module is mainly used for integration with PacketShield to provide protection against packet flood attacks in the following cases:
Traffic routed through HAProxy ALOHA
Load balancing at Layer 4 in NAT mode
Load balancing at Layer 4 in DSR mode if the server-to-client traffic is routed through HAProxy ALOHA
Configuring TCP SYNPROXY
Configure the conntrack module
In the HAProxy ALOHA Services tab, edit the service settings to add the following setting to the conntrack service:
The sysctl prevents conntrack from accepting packets as NEW packets and allowing SYNPROXY to work.
With LVS, the use of the SYNPROXY module leads to a SYN/SYN-ACK loop between clients and the load balancer.
To circumvent this issue, we use LVS in conjunction with conntrack.
In the HAProxy ALOHA Services tab, edit the service settings to add the following setting to the LVS service:
SYNPROXY syntax rule
<chain> [conditions of application] [TCP options]
protect local or LVS connections
protect a connection routed through HAProxy ALOHA
Conditions of application
IP packet destination IP or subnet
inbound network interface (should match Packetshield interface)
IP packet destination port (range accepted)
Windows scale. Default value: not set. Requires timestamp
Maximum Segment Size. Default value: 1460
Selective Acknowledgment. Default value: not enabled. Requires timestamp
timestamps. Default value: not enabled
Explicit Congestion Notification. Default value: not enabled. Requires timestamp
Configuring SYNPROXY module
In the HAProxy ALOHA Services tab, edit a service configuration.
In the text area, create your rules.
Protect HTTP and HTTPs services managed by HAProxy or LVS running in HAProxy ALOHA
input dst 10.0.0.1 dstport 80 iface eth0 wscale 3
input dst 10.0.0.1 dstport 443 iface eth0 wscale 3
Protect HTTP and HTTPs services hosted by cloud service VMs located behind HAProxy ALOHA
forward dstport 80 iface eth0 wscale 3
forward dstport 443 iface eth0 wscale 3