Reading up on 2 blog posts regarding DDOS protection via haproxy stick-tables
http://blog.serverfault.com/2010/08/26/1016491873/ http://blog.exceliance.fr/2011/08/25/protect-apache-against-apache-killer-script/ Problem i tried testing this on my local test server with haproxy v1.5 dev7. But it seems if I have an acl rule in place path_beg /forum/images/ and /images/ it bypasses the stick-tables completely. It doesn't seem to matter if the acl rule is placed before or after the stick-table entry on the frontend www. If I remove the acl rule for path_beg, then stick-table works ! the acl path_beg rule i have is these 3 lines in frontend www acl imagepath path_beg /images/ acl imagepathforums path_beg /forums/images/ use_backend imagepath_backend if imagepath or imagepathforums Problem explained 1. If these acl path_beg rules are enabled then phpinfo.php gets rate limited with 503 status error but i.png allows full unrestricted connection speed to server bypassing the stick-table completely. 2. If I remove the path_beg 3 lines outlined above from haproxy config file, then both siege tests urls for phpinfo.php and i.png I test against DO NOT allow full unrestricted connection to server and are properly rate limited with 503 status error. siege -b -c 100 -r 100 http://192.168.56.120/phpinfo.php siege -b -c 100 -r 100 http://192.168.56.120/forums/images/i.png So why does the acl path_beg rule bypass the stick-table ? Config full frontend www looks like this ############## # front end options frontend www mode http bind *:80 default_backend www_backend option contstats acl spiderbots hdr_sub(user-agent) -i -f /etc/haproxy/spiderbotlist.lst use_backend spider_backend if spiderbots ### Setup stick table ### stick-table type ip size 10k expire 60s store gpc0 # Configure the DoS src acl MARKED src_get_gpc0(www) gt 0 # tarpit attackers if src_DoS use_backend backend_tarpit if MARKED # If not blocked, track the connection tcp-request connection track-sc1 src if ! MARKED ### Setup stick table ### acl imagepath path_beg /images/ acl imagepathforums path_beg /forums/images/ use_backend imagepath_backend if imagepath or imagepathforums the backend looks like this ############## # backend options backend www_backend mode http balance roundrobin # Load Balancing algorithm cookie SERVERID insert indirect nocache option httpchk OPTION /health_check.php option forwardfor # This sets X-Forwarded-For ### Setup stick table ### # Table to track connection rate stick-table type ip size 10k expire 60s store conn_rate(5s),bytes_out_rate(5s) # Track request tcp-request content track-sc2 src # Mark as abuser if more than 10 connection acl ABUSER sc2_conn_rate gt 10 acl DATARATE_ABUSER sc2_bytes_out_rate gt 200 acl MARKED_AS_ABUSER sc1_inc_gpc0 gt 0 # Block connection concidered as abuser tcp-request content reject if ABUSER DATARATE_ABUSER MARKED_AS_ABUSER ### Setup stick table ### ## Define your servers to balance server server1 192.168.56.101:80 weight 1 maxconn 4096 cookie svr1 check server server2 192.168.56.120:82 weight 1 maxconn 4096 cookie svr2 check backend spider_backend mode http balance roundrobin cookie SERVERID insert indirect nocache option httpchk OPTION /health_check.php option forwardfor acl too_fast be_sess_rate gt 10 acl too_many be_conn gt 10 tcp-request inspect-delay 3000ms tcp-request content accept if ! too_fast or ! too_many tcp-request content accept if WAIT_END server server1 192.168.56.101:80 weight 1 minconn 1 maxconn 10 cookie svr1bot check server server2 192.168.56.120:82 weight 1 minconn 1 maxconn 10 cookie svr2bot check backend imagepath_backend mode http balance roundrobin cookie SERVERID insert indirect nocache option httpchk OPTION /health_check.php option forwardfor ### Setup stick table ### # Table to track connection rate stick-table type ip size 10k expire 60s store conn_rate(5s),bytes_out_rate(5s) # Track request tcp-request content track-sc2 src # Mark as abuser if more than 10 connection acl ABUSER sc2_conn_rate gt 10 acl DATARATE_ABUSER sc2_bytes_out_rate gt 200 acl MARKED_AS_ABUSER sc1_inc_gpc0 # Block connection concidered as abuser tcp-request content reject if ABUSER DATARATE_ABUSER MARKED_AS_ABUSER ### Setup stick table ### server server1 192.168.56.101:80 weight 1 maxconn 500 cookie svr1 check server server2 192.168.56.120:82 weight 1 maxconn 500 cookie svr2 check backend backend_tarpit mode http # hold the connection for 10s before answering timeout tarpit 10s # Emulate a 503 error errorfile 500 /etc/haproxy/503.html # slowdown any request coming up to here reqitarpit . --- posted at http://www.serverphorums.com http://www.serverphorums.com/read.php?10,447870,447870#msg-447870
