Project 15: Protecting Apache with a Load-Balancer (20 pts.)

Requirements

You will need three machines--they can be physical or virtual, but they must all be on the same LAN:

An Attacker running Windows (any version is OK, I used Windows 7 Pro)
A Target running Apache2 on Linux (any version is OK, I used Ubuntu 10.04)
A Defender running Linux (any version should be OK, I used Ubuntu 10.04)

You could probably use the same Linux machine to be both the load-balancer and the Apache server if you want to, buit you will have to configure one of them to use some port other than 80. For clarity and accuracy, I prefer to use separate machines.

haproxy

Haproxy is a load-balancer. You could use apt-get to install it from the Ubuntu archives, but the version in the archives is out of date and does not support IPv6. I recommend using the newer version because, although this project does not use IPv6, I want the option to use it in later projects.

Downloading haproxy

Start Ubuntu. From the Menu bar, click Applications, Accessories, Terminal. In the Terminal window, execute these commands (When you are prompted to, enter your password):

cd /usr/local/src sudo wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.11.tar.gz

For the last two days, the server at 1wt.eu has been down. If you get an HTTP error saying the source is unavailable, use this command instead:

sudo wget http://samsclass.info/124/proj11/haproxy-1.4.11.tar.gz

When I did it at Starbucks, it failed twice and automatically restarted, so there were two bad download files named haproxy-1.4.11.tar.gz and haproxy-1.4.11.tar.gz.1 which I had to remove with the sudo rm command, and then I had to use the sudo mv command to move the good file to haproxy-1.4.11.tar.gz. If you have a more reliable network, you won't have to do that.

Compiling haproxy

In the Terminal window, execute these commands:

sudo tar -xzf haproxy-1.4.11.tar.gz cd haproxy-1.4.11 sudo make TARGET=linux26 ARCH=i386

Wait while a screen or two of messages scroll by. When the $ prompt reappears, in the Terminal window, execute this command:

sudo make install

Preparing the haproxy startup script

This script will start haproxy automatically each time Linux starts.

In the Terminal window, execute these commands:

sudo mkdir /etc/haproxy cd examples/ sudo cp haproxy.cfg /etc/haproxy sudo cp haproxy.init /etc/init.d/haproxy sudo chmod 755 /etc/init.d/haproxy sudo nano /etc/init.d/haproxy

In the nano text editor, execute these commands:

Ctrl+W
Ctrl+R to start search and replace
At the "Search (to replace):" prompt, type

/usr/sbin

press Enter
At the "Replace with:" prompt, type

/usr/local/sbin

Press Enter
At the "Replace this instance?" prompt, type
A
you should see a message saying "[ replaced 6 occurrences ]"
Save the file with Ctrl+X, Y, Enter

When you start the search, your screen will look like this:

Preparing the haproxy config file

In the Terminal window, execute this command:

sudo nano /etc/haproxy/haproxy.cfg

In the global section, add a # to comment out this line:

# chroot /usr/share/

Your file should look like the image below on this page:

Scroll down to the defaults section and make this change:

Comment out this line:

# redispatch

Your file should look like the image below on this page:

Use the down-arrow key to move to the first line starting with listen. Press Ctrl+K repeatedly to delete that line and all the lines below it. Then type in these lines, replacing the IP address in the last line with the IP address of your Target Apache server:


listen webfarm 0.0.0.0:80
       mode http
       stats enable
       stats auth haproxy:haproxy
       balance roundrobin
       cookie JSESSIONID prefix
       option httpclose
       option forwardfor
       server webA 192.168.0.103:80

Your file should look like the image below on this page:

Save the file with Ctrl+X, Y, Enter

Starting haproxy

In the Terminal window, execute these commands:

cd /etc/haproxy sudo /usr/local/sbin/haproxy -f haproxy.cfg -V

You should see four lines ending with "test results OK" and then a line saying "Using sepoll() as the polling mechanism.", as shown in the Ubuntu window on the left, below on this page:

The image above shows the Defender machine on the left, running haproxy, the Target machine on the right, running Apache, and a Web browser viewing the proxy's output.

Open a Web browser, and type in the IP address of the proxy, which shows the page served by Apache.

Click the Refresh button--the page should respond instantly. That proves that the Proxy is working, and that Apache is working.

Attacking the Proxy

On the Windows attacker, run the OWASP HTTP Attack tool as you did in previous projects. Attack the IP address of the Defender (the Linux box running haproxy). Start with these parameters, which are sufficient to bring Apache to a total stop:

Attack Type: Slow headers
Connections: 400
Connection rate: 50
Timeout(s): 100

Run the attack. It should have no effect at all on the Web server--the page should reload instantly, as shown in the image below on this page:

Attacking the Proxy More Vigorously

Adjust the parameters until you stop haproxy. When I tested it, these settings worked:

Attack Type: Slow headers
Connections: 2500
Connection rate: 500
Timeout(s): 100

You should be able to stop haproxy, as shown in the image below on this page:

Saving the Screen Image

Make sure you can see the error message in the browser, as shown in the image above on this page.

Save a screen image with the filename Proj 15 from Your Name.

A More Vigorous Defense

In the Terminal window, execute these commands:

cd /etc/haproxy
sudo nano haproxy.cfg

In the defaults section, make these changes:

Change maxconn to 20000
Change conntimeout to 500

Your file should look like the image shown below on this page:

Save the file with Ctrl+X, Y, Enter

Stopping haproxy

In the Terminal window, execute this command:

ps aux | grep haproxy

Find the item ending with /usr/local/sbin/haproxy -f haproxy.cfg -V. The second number from the left shows the process id. In the example below, the process ID is 2312.

In the Terminal window, execute this command, using the process id you just found instead of 2312:

sudo kill 2312

Starting haproxy again

In the Terminal window, execute these commands:

cd /etc/haproxy sudo /usr/local/sbin/haproxy -f haproxy.cfg -V

Attacking the Proxy Again

Try the same attack that stopped the proxy previously. When I tested it, this attack had no effect on the server:

Attack Type: Slow headers
Connections: 2500
Connection rate: 500
Timeout(s): 100

I was able to stop the proxy with these settings, however:

Attack Type: Slow headers
Connections: 5000
Connection rate: 1000
Timeout(s): 100

Turning in Your Project

Email the image to [email protected] with a Subject line of Proj 15 from Your Name.

Sources

http://www.koopman.me/2011/02/haproxy-for-ipv6-translation-to-ipv4-only-website/

http://www.howtoforge.com/setting-up-a-high-availability-load-balancer-with-haproxy-heartbeat-on-debian-lenny

Last modified: 2 p 4-22-11