v2.6.3

SYN flood protect

app/funct.py

@@ -271,7 +271,7 @@ def diff_config(oldcfg, cfg):
 		print('<center><div class="alert alert-danger">Can\'t read write change to log. %s</div></center>' % stderr)
 		pass
 		
-def install_haproxy(serv):
+def install_haproxy(serv, **kwargs):
 	script = "install_haproxy.sh"
 	tmp_config_path = get_config_var('haproxy', 'tmp_config_path')
 	proxy = get_config_var('main', 'proxy')
@@ -285,6 +285,27 @@ def install_haproxy(serv):
 	upload(serv, tmp_config_path, script)	
 	ssh_command(serv, commands)
 	
+	if kwargs.get('syn_flood') == "1":
+		syn_flood_protect(serv)
+	
+	os.system("rm -f %s" % script)
+	
+def syn_flood_protect(serv, **kwargs):
+	script = "syn_flood_protect.sh"
+	tmp_config_path = get_config_var('haproxy', 'tmp_config_path')
+	
+	if kwargs.get('enable') == "0":
+		enable = "disable"
+	else:
+		enable = "enable"
+
+	os.system("cp scripts/%s ." % script)
+	
+	commands = [ "chmod +x "+tmp_config_path+script, tmp_config_path+script+ " "+enable ]
+	
+	upload(serv, tmp_config_path, script)	
+	ssh_command(serv, commands)
+	
 	os.system("rm -f %s" % script)
 	
 def upload(serv, path, file, **kwargs):

app/options.py

@@ -302,6 +302,7 @@ if form.getvalue('master'):
 	interface = form.getvalue('interface')
 	vrrpip = form.getvalue('vrrpip')
 	hap = form.getvalue('hap')
+	syn_flood = form.getvalue('syn_flood')
 	tmp_config_path = funct.get_config_var('haproxy', 'tmp_config_path')
 	script = "install_keepalived.sh"
 	
@@ -309,6 +310,10 @@ if form.getvalue('master'):
 		funct.install_haproxy(master)
 		funct.install_haproxy(slave)
 		
+	if syn_flood == "1":
+		funct.syn_flood_protect(master)
+		funct.syn_flood_protect(slave)
+	
 	os.system("cp scripts/%s ." % script)
 		
 	funct.upload(master, tmp_config_path, script)
@@ -346,4 +351,4 @@ if form.getvalue('masteradd'):
 	os.system("rm -f %s" % script)
 	
 if form.getvalue('haproxyaddserv'):
-	funct.install_haproxy(form.getvalue('haproxyaddserv'))
+	funct.install_haproxy(form.getvalue('haproxyaddserv'), syn_flood=form.getvalue('syn_flood'))

app/scripts/install_haproxy.sh

@@ -47,7 +47,7 @@ defaults
     option forwardfor       except 127.0.0.0/8
     option                  redispatch
     retries                 3
-    timeout http-request    10s
+    timeout http-request    5s
     timeout queue           1m
     timeout connect         10s
     timeout client          1m

app/scripts/syn_flood_protect.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+if [[ $1 == "enable" ]]; then
+	sudo bash -c cat <<EOF >> /etc/sysctl.conf
+# Protection SYN flood
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.tcp_max_syn_backlog = 1024 
+EOF
+
+	sudo sysctl -w net.ipv4.tcp_syncookies=1
+	sudo sysctl -w net.ipv4.conf.all.rp_filter=1
+	sudo sysctl -w net.ipv4.tcp_max_syn_backlog=1024 
+	sudo sysctl -w net.ipv4.tcp_synack_retries=3
+fi
+
+if [[ $1 == "disable" ]]; then
+	sed -i 's/net.ipv4.tcp_max_syn_backlog = 1024/net.ipv4.tcp_max_syn_backlog = 256/' /etc/sysctl.conf
+	sed -i 's/net.ipv4.tcp_synack_retries = 3/net.ipv4.tcp_synack_retries = 5/' /etc/sysctl.conf
+	sudo sysctl -w net.ipv4.tcp_max_syn_backlog=256 
+	sudo sysctl -w net.ipv4.tcp_synack_retries=5
+fi

app/templates/base.html

@@ -97,7 +97,7 @@
 					</ul>
 				</nav>
 				<div class="copyright-menu">
-					HAproxy-WI v2.6.2.2
+					HAproxy-WI v2.6.3
 					<br>
 					<a href="https://www.patreon.com/haproxy_wi" title="Donate" target="_blank" style="color: #fff; margin-left: 30px; color: red;" class="patreon">  Patreon</a>
 				</div>

app/templates/ha.html

@@ -9,6 +9,7 @@
 		<td>VRRP interface</td>
 		<td>VRRP IP</td>
 		<td><span title="Haproxy-WI will try install haproxy-1.18.5, if it does not work then haproxy-1.15">Install HAProxy(?)</span></td>
+		<td>SYN flood protect</td>
 		<td></td>
 	</tr>
 	<tr>
@@ -37,6 +38,9 @@
 		<td>
 			<label for="hap"></label><input type="checkbox" id="hap">
 		</td>
+		<td>
+			<label for="syn_flood" title="Enable SYN flood protect"><input type="checkbox" id="syn_flood" checked>
+		</td>
 		<td>
 			<a class="ui-button ui-widget ui-corner-all" id="create" title="Create HA configuration">Create</a>
 		</td>

app/templates/ihap.html

@@ -3,8 +3,9 @@
 <script src="/inc/users.js"></script>
 <table class="overview">
 	<tr class="overviewHead">
-		<td class="padding10 first-collumn">Note</td>
+		<td class="padding10 first-collumn" style="width: 350px;">Note</td>
-		<td>Server</td>
+		<td class="padding10 first-collumn">Server</td>
+		<td style="width: 150px;">SYN flood protect</td>
 		<td></td>
 	</tr>
 	<tr>
@@ -19,6 +20,9 @@
 			{% endfor %}
 		</select>
 	</td>
+	<td>
+		<label for="syn_flood" title="Enable SYN flood protect"><input type="checkbox" id="syn_flood" checked>
+	</td>
 	<td>
 		<a class="ui-button ui-widget ui-corner-all" id="install" title="Install HAProxy">Install</a>
 	</td>

inc/users.js

@@ -18,9 +18,13 @@ $( function() {
 	var ipformat = /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
 	$('#create').click(function() {
 		var hap = 0;
+		var syn_flood = 0;
 		if ($('#hap').is(':checked')) {
 			hap = '1';
 		}		
+		if ($('#syn_flood').is(':checked')) {
+			syn_flood = '1';
+		}
 		$("#ajax").html('')
 		if( $("#master").val() == "" || $("#slave").val() == "" || $("#interface").val() == "" ||
 			$("#vrrp-ip").val() == "") {
@@ -37,6 +41,7 @@ $( function() {
 						interface: $("#interface").val(),
 						vrrpip: $('#vrrp-ip').val(),
 						hap: hap,
+						syn_flood: syn_flood,
 						token: $('#token').val()
 					},
 					type: "GET",
@@ -92,10 +97,15 @@ $( function() {
 	});
 	$('#install').click(function() {
 		$("#ajax").html('')
+		var syn_flood = 0;
+		if ($('#syn_flood').is(':checked')) {
+			syn_flood = '1';
+		}
 		$.ajax( {
 			url: "options.py",
 			data: {
 				haproxyaddserv: $('#haproxyaddserv').val(),
+				syn_flood: syn_flood,
 				token: $('#token').val()
 				},
 			type: "GET",