Docker Community Forums

Share and learn in the Docker community.

[SOLVED] Load balancer, Nginx and Gunicorn


(Frankie567) #1

Hi there,

I’m currently configuring my app stack in Docker Cloud.

In my local environment, I have a container running a Django application with Gunicorn and another one running Nginx with my configuration.

I followed the tutorial for creating a web service with the haproxy load balancer and I now have a stack where the lb container proxies the Gunicorn container. The thing is that it seems that it’s the Gunicorn server that responds (in the HTTP response headers, I have Server:gunicorn/19.6.0) and I’m sure I’ve read somewhere that’s strongly discouraged.

My question is this : is this configuration OK for production environment or should I configure a Nginx between lb and Gunicorn ?

Regards,

François


(Ziontech) #2

It sounds like HAProxy is actually responding, its just that HAProxy passes along the Server header that Gunicorn has added to the response.

In terms of being suitable for production, it might be worth ensuring that you’ve got HAProxy performing request buffering to help protect your Gunicorn workers from being held up.
It’s also generally good practice to actually remove the Server header from your response or at-least exclude the version from the header since it can expose both the software and the version your running which could make it easier for someone to look for vulnerabilities against the web-server your using.


(Frankie567) #3

Thank you for your answer! Any idea of how I could know if HAProxy buffers requests?


(Ziontech) #4

Heres the guide on how to use HAProxy to prevent Slow Request Attacks: http://blog.haproxy.com/2016/02/10/what-is-a-slow-post-attack-and-how-turn-haproxy-into-your-first-line-of-defense/

I don’t think the dockercloud/HAProxy image does it by default, take a look at the output in the logs and see it it contains ‘http-buffer-request’. If not you can specify additional options by adding an OPTION environment variable (https://github.com/docker/dockercloud-haproxy#configuration) to your HAProxy service, the value below should work:

redispatch, http-buffer-request


(Frankie567) #5

Thanks, it works like a charm!

For future references, to remove the Server header, just set an environment variable on the proxied service :

  • EXTRA_SETTINGS=http-response del-header Server