proxy-protocol doesn't take in consideration connect_timeout, possible DOS
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.1 |
Invalid
|
Undecided
|
Unassigned | |||
5.5 |
Invalid
|
Undecided
|
Unassigned | |||
5.6 |
New
|
Undecided
|
Unassigned | |||
5.7 |
New
|
Undecided
|
Unassigned |
Bug Description
When proxy_protocol_
The problem is that if mysql client tries to connect anyway , there is no timeout (connect_timeout) used. This can lead to max connection easily reached:
pxc1 mysql> show full processlist;
+-----+
| Id | User | Host | db | Command | Time | State | Info | Rows_sent | Rows_examined |
+-----+
| 1 | system user | | NULL | Sleep | 1969 | NULL | NULL | 0 | 0 |
| 2 | system user | | NULL | Sleep | 1969 | wsrep aborter idle | NULL | 0 | 0 |
| 9 | root | localhost | NULL | Query | 0 | init | show full processlist | 0 | 0 |
| 990 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 992 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 993 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 994 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 996 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
| 997 | unauthenticated user | connecting host | NULL | Connect | NULL | login | NULL | 0 | 0 |
+-----+
information type: | Private Security → Public Security |
tags: | added: proxy-protocol |
Percona now uses JIRA for bug reports so this bug report is migrated to: https:/ /jira.percona. com/browse/ PS-3314