On 6 April 2011 16:42, bradford <fingerm...@gmail.com> wrote: > Also, in a previous email I mentioned something about > X-Forwarded-For IP addresses being comma delimited. This table would have > to take that into consideration, I guess.
No it shouldn't. If you rate-limit based on information that you find in the XFF header you allow malicious users to a) bypass the rate-limit by faking up different XFF headers each time or b) DoS legitimate users by faking up the same, matching, XFF header each time and letting haproxy do the DoS for them Also, above and beyond "I haven't understood it yet", the rest of your email was rather light on *detail*. If other people are comprehending and happily using the functionality based on the existing config requirements and documentation, then perhaps the flaw doesn't lie with the config and/or documentation. My 2-pence, Jonathan -- Jonathan Matthews London, UK http://www.jpluscplusm.com/contact.html