HaproxyFrontendSecurityBlockedRequests

HaproxyFrontendSecurityBlockedRequests #

HAProxy is blocking requests for security reason

Alert Rule
alert: HaproxyFrontendSecurityBlockedRequests
annotations:
  description: |-
    HAProxy is blocking requests for security reason
      VALUE = {{ $value }}
      LABELS = {{ $labels }}    
  runbook: https://srerun.github.io/prometheus-alerts/runbooks/embedded-exporter-v2/haproxyfrontendsecurityblockedrequests/
  summary: HAProxy frontend security blocked requests (instance {{ $labels.instance
    }})
expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
for: 2m
labels:
  severity: warning

Meaning #

The HaproxyFrontendSecurityBlockedRequests alert is triggered when HAProxy blocks more than 10 requests for security reasons within a 2-minute window. This alert indicates that HAProxy is actively blocking requests that violate its security settings, which may be a sign of malicious activity or misconfiguration.

Impact #

The impact of this alert depends on the nature of the blocked requests. If the blocked requests are indeed malicious, then HAProxy is doing its job to protect the application. However, if the blocked requests are legitimate, it may indicate a misconfiguration or overly restrictive security settings, which could result in:

  • Legitimate users being denied access to the application
  • Increased latency or failed requests
  • Unnecessary workload on the application or infrastructure

Diagnosis #

To diagnose the cause of this alert, follow these steps:

  1. Investigate the blocked requests:
    • Check HAProxy logs to identify the source IP addresses, request URLs, and reasons for blocking.
    • Analyze the logs to determine if the blocked requests are malicious or legitimate.
  2. Review HAProxy security settings:
    • Check the HAProxy configuration files to ensure that the security settings are appropriate for the application.
    • Verify that the security settings are not overly restrictive, blocking legitimate traffic.
  3. Check for misconfiguration:
    • Verify that HAProxy is correctly configured to allow traffic from trusted sources.
    • Check for any recent configuration changes that may have caused the alert.

Mitigation #

To mitigate this alert, follow these steps:

  1. Review and adjust HAProxy security settings:
    • Relax security settings if they are overly restrictive, allowing legitimate traffic to pass through.
    • Tighten security settings if malicious traffic is being blocked.
  2. Implement additional security measures:
    • Consider implementing IP blocking or rate limiting to prevent malicious traffic.
    • Implement additional logging and monitoring to detect and respond to malicious activity.
  3. Monitor and validate:
    • Continuously monitor HAProxy logs and metrics to ensure that the alert is not occurring due to legitimate traffic being blocked.
    • Validate that the changes made to HAProxy security settings or configuration have resolved the issue.
Edit this page