Forum

Today my goal is, after fully migrating, to check
if there are problems with haproxy and cloudflare in front of
Hiawatha.

So, cloudflare sends the requests to an haproxy server, which then transparently forwards the request to one of the backend Hiawatha Webservers.

Hiawatha now gets the haproxy ip aswell as the client IP as an X-Forwarded-For header.

So i used HideProxy Load.balancing.i.p
Fine. Hiawatha now uses the client IP as the originating one.
But wait, what do i see there?
"This option does not affect the ConnectionsPerIP setting."
So i'm telling hiawatha that the real IP is the forwarded ip, but ConnectionsPerIP doesn't mind and would eventually block my haproxy for too many ConnectionsPerIP?

Or am i misinterpreting? If so, please tell me, I would be done with configuring in that case .

Hiawatha version: 9.8
Operating System: Debian Sid

The reason why ConnectionsPerIP will not work with HideProxy, is because the IP address of the client for which the request was forwarded is in the HTTP request (X-Forwarded-For header). Since Hiawatha has not received any request at the moment of connection, the ConnectionsPerIP cannot be done on the actual client's IP.

This kind of DDoS mitigation should be done by the reverse proxy, not the webserver behind it.

Aww. Alright so I'm guessing BanOnFlooding wont work aswell, eventually banning the haproxy balancer? Please correct me if im wrong.

Thank you for your time so far!

The BanOnFlooding does work, because it (also) simply counts the amount of requests within one connection.

Well that means it wont work behind loadbalancer, or does the flood Protection work with some kind of token system per connection or HideProxy?

Also, again glad I managed to switch the page, which is used as community board and commenting platform for the most subscribed youtuber. The page is, because of haters, under constant ddos.

Cloudflare does some blocking, but when we have ddos attacks like 50k concurrent connections from tons of WordPress pingbacks, Hiawatha does a better Job than other lightweight webservers.

Using all the security measurements, and used your latest Addition to block WordPress/* UserAgents.

Mentioned hiawatha in the tech thread with the big banner, hoping it gets more attention.

Can't thank you enough, keep up the good work!

The flood protection works by counting the amounts of requests within one connection. Combined with ReconnectDelay and ConnectionsPerIP, it can be used to block flooding clients.

So, which directives actually recognizes HideProxy?
Had my haproxy banned because of sending a too large request.
In the logs, I noticed the exploit bans / garbage bans recognize HideProxy, since there were individual IPs banned.

BanOnMaxReqSize, ConnectionsPerIP and BanOnFlooding do false banning then, since the request comes from only one haproxy-IP, which sends X-Forwarded-For, which is not beeing read by the three directives.
Had 2 node outages so far because the haproxy got banned there .

All options that work for actions AFTER the request parsing. Everything during or before the request parsing works with the IP of the connected client, which could be a reverse proxy.