Hello,
I'm using haproxy-1.5-dev19 and i have a problem with the sticky tables and
matchig clients based in the headers. At first, this is the conf file:
global maxconn 50000 log 127.0.0.1 local5 info err stats
socket /var/run/haproxy.sock mode 0600 level admin pidfile
/var/run/haproxy.pid
defaults mode http log global retries 3 option
redispatch timeout contimeout 5000 timeout client 5000
timeout srvtimeout 5000 timeout http-keep-alive 5000
listen proxy-http 127.0.0.1:80,10.10.10.1:80 mode http option
httplog option http-server-close stats enable maxconn 50000
balance roundrobin option forwardfor
stick-table type ip size 200k expire 10m store gpc0
tcp-request content track-sc1 req.hdr(True-Client-IP,1)
acl rule_blacklist hdr_sub(True-Client-IP,1) -f
/etc/haproxy/blacklist.lst acl rule_whitelist hdr_sub(True-Client-IP,1)
-f /etc/haproxy/whitelist.lst
http-request allow if rule_whitelist http-request deny if
rule_blacklist
acl allowbw sc1_get_gpc0 eq 2 acl denybw sc1_get_gpc0 eq 1
http-request allow if allowbw use_backend human-validation if
denybw
default_backend back-http
backend back-http server webserver1 10.10.10.2:80
backend human-validation server webserver2 10.10.10.3:80
The conf define, for one side, two hand made lists, blacklist and whitelist. If
one request come to the proxy with an ip in the header True-Client-IP, Haproxy
check if is in the whitelist, in this case, pass, if is in blacklist, deny, and
if the ip isn't in any list, pass to the backend.
For other side, there are one stick table matching the True-Client-IP header.
Based on it, an external program write in the haproxy socket, for one
particular ip, if the client is a abuser, basically:
$ echo "set table proxy-http key 10.10.10.10 data.gpc0 1" | socat stdio
/var/run/haproxy.sock
If the ip have the counter in one, Haproxy send the request to the user
validation backend, and if the user pass it, the ip is mark with the number two
and pass to the content. An example curl request with the header (only save the
first ip in the list):
$ curl -I 10.10.10.1:80 -H "True-Client-IP: 10.10.10.10,10.20.10.20,10.30.10.20"
But, alternatively, a request already mark with the number one, redirect one
time to one backend and other to the other, these are the example lines in the
logs:
Aug 7 10:28:22 127.0.0.1 haproxy[9342]: 10.10.10.1:45350
[07/Aug/2013:10:28:22.900] proxy-http human-validation/webserver2 0/0/0/0/0 200
276 - - ---- 1/1/0/1/0 0/0 "HEAD / HTTP/1.1"Aug 7 10:28:24 127.0.0.1
haproxy[9342]: 10.10.10.1:45351 [07/Aug/2013:10:28:24.152] proxy-http
back-http/webserver1 0/0/0/20/20 200 368 - - --NI 1/1/0/0/0 0/0 "HEAD /
HTTP/1.1"
At the moment when the number is inserted, the human_validation backend works,
but some request yes, others not, alternativerly. For example, 3 yes, 2 not, 1
yes, 5 not, 4 yes.
Someone can tell me more about this behavior.
Thanks,
