proxy-protocol doesn't take in consideration connect_timeout, possible DOS
| Affects | Status | Importance | Assigned to | Milestone | ||
|---|---|---|---|---|---|---|
| Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
| 5.1 |
Invalid
|
Undecided
|
Unassigned | |||
| 5.5 |
Invalid
|
Undecided
|
Unassigned | |||
| 5.6 |
New
|
Undecided
|
Unassigned | |||
| 5.7 |
New
|
Undecided
|
Unassigned | |||
Bug Description
When proxy_protocol_
The problem is that if mysql client tries to connect anyway , there is no timeout (connect_timeout) used. This can lead to max connection easily reached:
pxc1 mysql> show full processlist;
+-----+
| Id | User | Host | db | Command | Time | State | Info | Rows_sent | Rows_examined |
+-----+
| 1 | system user | | NULL | Sleep | 1969 | NULL | NULL | 0 | 0 |
| 2 | system user | | NULL | Sleep | 1969 | wsrep aborter idle | NULL | 0 | 0 |
| 9 | root | localhost | NULL | Query | 0 | init | show full processlist | 0 | 0 |
| 990 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 992 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 993 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 994 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 996 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 997 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
+-----+
| information type: | Private Security → Public Security |
| tags: | added: proxy-protocol |
| Shahriyar Rzayev (rzayev-sehriyar) wrote | #1 |
Percona now uses JIRA for bug reports so this bug report is migrated to: https:/