Merge pull request #2564 from ahardin-rh/dos-attacks

Bug 1354145, added Using a Router Image to Protect Against DDoS Attacks

Author: ahardin-rh

Diff for: install_config/install/deploy_router.adoc

@@ -1113,6 +1113,72 @@ If you used a non-default name for the router, you must change *_dc/router_*
 accordingly.
 
 
+[[deploy-router-protecting-against-ddos-attacks]]
+=== Protecting Against DDoS Attacks
+
+Add *timeout http-request* to the default HAProxy router image to
+protect the deployment against distributed denial-of-service (DDoS) attacks (for
+example, slowloris):
+
+====
+----
+# and the haproxy stats socket is available at /var/run/haproxy.stats
+global
+  stats socket ./haproxy.stats level admin
+
+defaults
+  option http-server-close
+  mode http
+  timeout http-request 5s
+  timeout connect 5s <1>
+  timeout server 10s
+  timeout client 30s
+----
+<1> *timeout http-request* is set up to 5 seconds. HAProxy gives a client 5 seconds
+ *to send its whole HTTP request. Otherwise, HAProxy shuts the connection with
+ *an error.
+====
+
+Also, when the environment variable `*ROUTER_SLOWLORIS_TIMEOUT*` is set, it
+limits the amount of time a client has to send the whole HTTP request.
+Otherwise, HAProxy will shut down the connection.
+
+Setting the environment variable allows information to be captured as part
+of the router's deployment configuration and does not require manual
+modification of the template, whereas manually adding the HAProxy setting
+requires you to rebuild the router pod and maintain your router template file.
+
+Using annotations implements basic DDoS protections in the HAProxy template
+router, including the ability to limit the:
+
+* number of concurrent TCP connections
+* rate at which a client can request TCP connections
+* rate at which HTTP requests can be made
+
+These are enabled on a per route basis because applications can have extremely
+different traffic patterns.
+
+.HAProxy Template Router Settings
+[cols="2",options="header"]
+|===
+
+|Setting |Description
+
+|`*haproxy.router.openshift.io/rate-limit-connections*`
+|Enables the settings be configured (when set to *true*, for example).
+
+|`*haproxy.router.openshift.io/rate-limit-connections.concurrent-tcp*`
+|The number of concurrent TCP connections that can be made by the same IP
+address on this route.
+
+|`*haproxy.router.openshift.io/rate-limit-connections.rate-tcp*`
+|The number of TCP connections that can be opened by a client IP.
+
+|`*haproxy.router.openshift.io/rate-limit-connections.rate-http*`
+|The number of HTTP requests that a client IP can make in a 3-second
+period.
+|===
+
 [[deploying-customized-router]]
 == Deploying a Customized HAProxy Router
 
@@ -1287,8 +1353,8 @@ backend be_tcp_{{$cfgIdx}}
 ====
 
 After this modification, you can xref:rebuilding-your-router[rebuild your router].
-[[rebuilding-your-router]]
 
+[[rebuilding-your-router]]
 === Rebuilding Your Router
 
 After you have made any desired modifications to the template, such as the