HAProxy ALOHA Documentation 13.0

LVS and Synproxy

The SYNPROXY module deploys TCP SYN cookies to establish a TCP connection terminated on a third party device located behind the HAProxy ALOHA. It relies on the conntrack module to translate sequence numbers.

The diagram below show how sequence numbers are translated from Y (client to HAProxy ALOHA) to Z (HAProxy ALOHA to server):

https://cdn.haproxy.com/documentation/aloha/13-0/assets/tcp-synproxy_361x312-543eab2559517dc06677ee07761e6e6f03317afcbf888c3e427c6a855e638381.png

Objective

In HAProxy ALOHA, the SYNPROXY module is mainly used for integration with PacketShield to provide protection against packet flood attacks in the following cases:

  • Traffic routed through HAProxy ALOHA

  • Load balancing at Layer 4 in NAT mode

  • Load balancing at Layer 4 in DSR mode if the server-to-client traffic is routed through HAProxy ALOHA

Configuring TCP SYNPROXY

Requirements

Configure the conntrack module

In the HAProxy ALOHA Services tab, edit the service settings to add the following setting to the conntrack service:

sysctl tcp_loose=0

The sysctl prevents conntrack from accepting packets as NEW packets and allowing SYNPROXY to work.

Configure LVS

With LVS, the use of the SYNPROXY module leads to a SYN/SYN-ACK loop between clients and the load balancer.

To circumvent this issue, we use LVS in conjunction with conntrack.

  • In the HAProxy ALOHA Services tab, edit the service settings to add the following setting to the LVS service:

    conntrack

SYNPROXY syntax rule

<chain> [conditions of application] [TCP options]

Available chains

<input>

protect local or LVS connections

<forward>

protect a connection routed through HAProxy ALOHA

Conditions of application

[[not] dst <host>]

IP packet destination IP or subnet

[[not] iface <interface>]

inbound network interface (should match Packetshield interface)

[[not] dstport <port>]

IP packet destination port (range accepted)

TCP options

[wscale <value>]

Windows scale. Default value: not set. Requires timestamp

[mss <value>]

Maximum Segment Size. Default value: 1460

[sack-perm]

Selective Acknowledgment. Default value: not enabled. Requires timestamp

[timestamp]

timestamps. Default value: not enabled

[ecn]

Explicit Congestion Notification. Default value: not enabled. Requires timestamp

Configuring SYNPROXY module

  1. In the HAProxy ALOHA Services tab, edit a service configuration.

  2. In the text area, create your rules.

Configuration examples

Protect HTTP and HTTPs services managed by HAProxy or LVS running in HAProxy ALOHA

input dst 10.0.0.1 dstport 80 iface eth0 wscale 3
input dst 10.0.0.1 dstport 443 iface eth0 wscale 3

Protect HTTP and HTTPs services hosted by cloud service VMs located behind HAProxy ALOHA

forward dstport 80 iface eth0 wscale 3
forward dstport 443 iface eth0 wscale 3

Next up

Metrics