Skip to content

Add basic DDoS protection mechanisms with option to disable them #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
swetha1654 merged 21 commits into from
Jan 5, 2026
Merged

Add basic DDoS protection mechanisms with option to disable them #300

swetha1654 merged 21 commits into from
Jan 5, 2026

Conversation

@swetha1654
Copy link
Contributor

@swetha1654 swetha1654 commented Dec 17, 2025
edited
Loading

Overview

Add sensible security defaults to prevent basic DDoS attacks. By default, basic DDoS protection mechanisms are enabled, including http-request, http-keep-alive and client timeouts, automatic dropping of connections with invalid, empty, or missing host headers. A new config option disable-ddos-protection has been added to disable these protections if needed.

Rationale

Juju Events Changes

Module Changes

Library Changes

Checklist

@swetha1654 swetha1654 changed the title Add ddos defaults Add basic DDoS protection mechanisms with option to disable them Dec 17, 2025
@swetha1654 swetha1654 force-pushed the ISD-4835-timeout-and-ddos-disable branch from b132c09 to c0d65fd Compare December 18, 2025 06:43
@swetha1654 swetha1654 force-pushed the ISD-4835-timeout-and-ddos-disable branch from c0d65fd to d217890 Compare December 18, 2025 06:44
@swetha1654 swetha1654 marked this pull request as ready for review December 18, 2025 06:45
@swetha1654 swetha1654 requested a review from a team as a code owner December 18, 2025 06:45
arturo-seijas
arturo-seijas reviewed Dec 18, 2025
View reviewed changes
seb4stien
seb4stien reviewed Dec 18, 2025
View reviewed changes
seb4stien
seb4stien reviewed Dec 18, 2025
View reviewed changes
seb4stien
seb4stien reviewed Dec 18, 2025
View reviewed changes
seb4stien
seb4stien reviewed Dec 18, 2025
View reviewed changes
seb4stien
seb4stien reviewed Dec 18, 2025
View reviewed changes
seb4stien
seb4stien reviewed Dec 18, 2025
View reviewed changes
Copy link
Contributor

@seb4stien seb4stien left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main requested change is to rename "disable-ddos-protection" to "ddos-protection" with a default value to "true".

Thanhphan1147
Thanhphan1147 approved these changes Dec 18, 2025
View reviewed changes
@Thanhphan1147
Copy link
Collaborator

Thanhphan1147 commented Dec 18, 2025

Approved, main comment is also changing the name of the config option

@swetha1654 swetha1654 requested a review from seb4stien December 19, 2025 07:07
github-actions[bot]
github-actions bot reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

license-eye has checked 298 files.

Valid Invalid Ignored Fixed
0 106 192 0
Click to see the invalid file list
  • .vale.ini
  • Makefile
  • Makefile.docs
  • haproxy-ddos-protection-configurator/charmcraft.yaml
  • haproxy-ddos-protection-configurator/src/charm.py
  • haproxy-ddos-protection-configurator/tests/conftest.py
  • haproxy-ddos-protection-configurator/tests/integration/init.py
  • haproxy-ddos-protection-configurator/tests/integration/conftest.py
  • haproxy-ddos-protection-configurator/tests/integration/test_charm.py
  • haproxy-ddos-protection-configurator/tests/unit/init.py
  • haproxy-ddos-protection-configurator/tests/unit/test_charm.py
  • haproxy-ddos-protection-configurator/tox.toml
  • haproxy-operator/charmcraft.yaml
  • haproxy-operator/src/charm.py
  • haproxy-operator/src/haproxy.py
  • haproxy-operator/src/http_interface.py
  • haproxy-operator/src/legacy.py
  • haproxy-operator/src/state/charm_state.py
  • haproxy-operator/src/state/exception.py
  • haproxy-operator/src/state/ha.py
  • haproxy-operator/src/state/haproxy_route.py
  • haproxy-operator/src/state/haproxy_route_tcp.py
  • haproxy-operator/src/state/ingress.py
  • haproxy-operator/src/state/ingress_per_unit.py
  • haproxy-operator/src/state/spoe_auth.py
  • haproxy-operator/src/state/tls.py
  • haproxy-operator/src/state/validation.py
  • haproxy-operator/src/tls_relation.py
  • haproxy-operator/tests/conftest.py
  • haproxy-operator/tests/integration/init.py
  • haproxy-operator/tests/integration/conftest.py
  • haproxy-operator/tests/integration/grpc_server/Makefile
  • haproxy-operator/tests/integration/grpc_server/main.py
  • haproxy-operator/tests/integration/grpc_server/echo.proto
  • haproxy-operator/tests/integration/haproxy_route_requirer.py
  • haproxy-operator/tests/integration/haproxy_route_tcp_requirer.py
  • haproxy-operator/tests/integration/helper.py
  • haproxy-operator/tests/integration/ingress_per_unit_requirer.py
  • haproxy-operator/tests/integration/legacy/init.py
  • haproxy-operator/tests/integration/legacy/conftest.py
  • haproxy-operator/tests/integration/legacy/haproxy_route_requirer.py
  • haproxy-operator/tests/integration/legacy/helper.py
  • haproxy-operator/tests/integration/legacy/test_action.py
  • haproxy-operator/tests/integration/legacy/test_charm.py
  • haproxy-operator/tests/integration/legacy/test_config.py
  • haproxy-operator/tests/integration/legacy/test_cos.py
  • haproxy-operator/tests/integration/legacy/test_ha.py
  • haproxy-operator/tests/integration/legacy/test_haproxy_route.py
  • haproxy-operator/tests/integration/legacy/test_http_interface.py
  • haproxy-operator/tests/integration/legacy/test_ingress.py
  • haproxy-operator/tests/integration/legacy/test_website.py
  • haproxy-operator/tests/integration/test_actions.py
  • haproxy-operator/tests/integration/test_haproxy_route.py
  • haproxy-operator/tests/integration/test_haproxy_route_tcp.py
  • haproxy-operator/tests/integration/test_ingress_per_unit.py
  • haproxy-operator/tests/unit/init.py
  • haproxy-operator/tests/unit/conftest.py
  • haproxy-operator/tests/unit/helper.py
  • haproxy-operator/tests/unit/legacy/conftest.py
  • haproxy-operator/tests/unit/legacy/test_ha.py
  • haproxy-operator/tests/unit/legacy/test_haproxy_route_lib.py
  • haproxy-operator/tests/unit/legacy/test_tls_relation.py
  • haproxy-operator/tests/unit/test_charm.py
  • haproxy-operator/tests/unit/test_ddos_protection.py
  • haproxy-operator/tests/unit/test_haproxy_route_lib.py
  • haproxy-operator/tests/unit/test_haproxy_route_options.py
  • haproxy-operator/tests/unit/test_haproxy_route_tcp_lib.py
  • haproxy-operator/tests/unit/test_haproxy_service.py
  • haproxy-operator/tests/unit/test_hsts.py
  • haproxy-operator/tests/unit/test_spoe_auth_lib.py
  • haproxy-operator/tests/unit/test_state.py
  • haproxy-operator/tox.toml
  • haproxy-spoe-auth-operator/charmcraft.yaml
  • haproxy-spoe-auth-operator/src/charm.py
  • haproxy-spoe-auth-operator/src/haproxy_spoe_auth_service.py
  • haproxy-spoe-auth-operator/src/state.py
  • haproxy-spoe-auth-operator/tests/conftest.py
  • haproxy-spoe-auth-operator/tests/integration/init.py
  • haproxy-spoe-auth-operator/tests/integration/conftest.py
  • haproxy-spoe-auth-operator/tests/integration/test_charm.py
  • haproxy-spoe-auth-operator/tests/unit/init.py
  • haproxy-spoe-auth-operator/tests/unit/conftest.py
  • haproxy-spoe-auth-operator/tests/unit/test_charm.py
  • haproxy-spoe-auth-operator/tox.toml
  • haproxy-spoe-auth-snap/hooks/bin/configure
  • haproxy-spoe-auth-snap/hooks/bin/default-configure
  • haproxy-spoe-auth-snap/snapcraft.yaml
  • terraform/charm/main.tf
  • terraform/charm/outputs.tf
  • terraform/charm/variables.tf
  • terraform/product/main.tf
  • terraform/product/outputs.tf
  • terraform/product/variables.tf
  • terraform/product/versions.tf
  • terraform/tests/.tflint.hcl
  • terraform/tests/main.tf
  • terraform/tests/main.tftest.hcl
  • tests/init.py
  • tests/conftest.py
  • tests/integration/init.py
  • tests/integration/conftest.py
  • tests/integration/haproxy_route_requirer.py
  • tests/integration/helper.py
  • tests/integration/setup-integration-tests.sh
  • tests/integration/test_oauth_spoe.py
  • tox.toml
Use this command to fix any missing license headers 
```bash

docker run -it --rm -v $(pwd):/github/workspace apache/skywalking-eyes header fix

</details>

@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026

Test results for commit d2f7a3e

Test coverage for d2f7a3e

Name           Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------
src/charm.py       7      0      0      0   100%
----------------------------------------------------------
TOTAL              7      0      0      0   100%

Static code analysis report

Run started:2026-01-05 06:54:25.944273+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 91
  Total lines skipped (#nosec): 0
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026

Test results for commit d2f7a3e

Test coverage for d2f7a3e

Name                                         Stmts   Miss Branch BrPart  Cover   Missing
----------------------------------------------------------------------------------------
lib/charms/haproxy/v0/haproxy_route_tcp.py     379    169     76      8    51%   197, 200, 248, 257-260, 264-267, 285-288, 303, 309-314, 414, 419, 796-799, 803, 820-841, 859-874, 888-895, 904, 1009-1050, 1054-1060, 1064, 1133-1162, 1233-1272, 1302-1304, 1329-1331, 1353-1357, 1376-1378, 1396-1398, 1405-1411, 1419-1421, 1429-1430, 1441-1448, 1461-1472, 1480-1501, 1514-1515, 1526-1527, 1538-1541, 1552-1553, 1582-1591, 1607-1610, 1626-1637, 1653-1656, 1674-1685, 1696-1697, 1705-1706, 1714-1715, 1726-1729
lib/charms/haproxy/v0/spoe_auth.py             158     55     32      2    59%   203, 304-306, 315, 354-381, 392-402, 441-442, 459-472, 484-501, 522-525, 529-531
lib/charms/haproxy/v1/haproxy_route.py         379     53     96     26    82%   180, 238, 247-250, 275-278, 299-304, 652-653, 839->exit, 846, 872-883, 906-909, 913-915, 934-936, 1108-1114, 1118, 1315->1317, 1319->1321, 1321->1323, 1323->1325, 1325->1327, 1327->1330, 1365, 1373, 1378, 1381, 1406, 1434, 1438, 1442, 1465, 1485, 1494-1495, 1497->exit, 1533-1535, 1555, 1569, 1574-1576
src/charm.py                                   258     71     66      9    67%   96, 217, 225-238, 243, 248, 265, 276, 282-283, 311-331, 384-387, 393->392, 439-447, 475-488, 501-506, 515, 527-541, 546, 556, 562-568, 584
src/haproxy.py                                 104     22      4      1    79%   106-112, 130-145, 247-248, 251, 259-265, 293, 317-319
src/http_interface.py                           73     25      4      0    62%   74, 83, 92, 106-108, 126, 138, 150, 162, 170-175, 187, 194, 202, 217-227
src/state/charm_state.py                        77     15     14      4    79%   93-95, 100-101, 104, 145-150, 159, 208-210, 222-223
src/state/exception.py                           1      0      0      0   100%
src/state/ha.py                                 30      1      2      1    94%   50
src/state/haproxy_route.py                     157      9     48      4    93%   145, 175-180, 247, 290-292, 309
src/state/haproxy_route_tcp.py                  50     18     18      1    51%   74-76, 91->94, 116, 129-142
src/state/ingress.py                            35      0      4      0   100%
src/state/ingress_per_unit.py                   31      0      4      0   100%
src/state/spoe_auth.py                          26      2      2      0    93%   63-64
src/state/tls.py                                40      7     12      4    79%   80, 83-84, 133-140, 146-147
src/state/validation.py                         46     23      8      1    44%   66-67, 71-98
src/tls_relation.py                             56      5     12      4    87%   83-84, 86->85, 113-123, 135->137
----------------------------------------------------------------------------------------
TOTAL                                         1900    475    402     65    71%

Static code analysis report

Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Run started:2026-01-05 06:54:50.847870+00:00

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 7950
  Total lines skipped (#nosec): 11
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 10

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026

Test results for commit d2f7a3e

Test coverage for d2f7a3e

Name                               Stmts   Miss Branch BrPart  Cover   Missing
------------------------------------------------------------------------------
src/charm.py                          45      9      2      0    77%   65-91, 96-98
src/haproxy_spoe_auth_service.py      44     16      2      0    61%   56-64, 76-82, 93-117
src/state.py                          55     15      6      1    67%   64-66, 79, 125-146
------------------------------------------------------------------------------
TOTAL                                144     40     10      1    68%

Static code analysis report

Run started:2026-01-05 06:57:06.721193

Test results:
  No issues identified.

Code scanned:
  Total lines of code: 409
  Total lines skipped (#nosec): 1
  Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 1

Run metrics:
  Total issues (by severity):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
  Total issues (by confidence):
  	Undefined: 0
  	Low: 0
  	Medium: 0
  	High: 0
Files skipped (0):

@swetha1654 swetha1654 merged commit 2498eab into main Jan 5, 2026
105 of 112 checks passed
@swetha1654 swetha1654 deleted the ISD-4835-timeout-and-ddos-disable branch January 5, 2026 08:17
Thanhphan1147 pushed a commit that referenced this pull request Jan 5, 2026
@swetha1654 @seb4stien @Thanhphan1147
Add basic DDoS protection mechanisms with option to disable them (#300)
d15feec 
* Add ddos defaults

* add release artifact

* fix lint and unit tests

* fix template

* add unit instead of integration tests

* Remove test_haproxy_config.py from integration tests

* Apply suggestions from code review

Co-authored-by: Sébastien Georget <sebastien.georget@canonical.com>

* Address review comments

* lint fix

* fix uv lock file

* fix license CI by adding pattern

---------

Co-authored-by: Sébastien Georget <sebastien.georget@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@arturo-seijas arturo-seijas arturo-seijas left review comments

@seb4stien seb4stien seb4stien approved these changes

@Thanhphan1147 Thanhphan1147 Thanhphan1147 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@swetha1654 @Thanhphan1147 @seb4stien @arturo-seijas