Hi Christian, I read the link just now and I am so very thankful that you helped. I was suspecting that conn_rate is to be used but I was following another blog.
I need one more help. Can you briefly describe how you arrive at the numbers for limitations. I seem to have no sure-shot way of getting it right first and then changing a live server’s configuration. Should I just be looking at the deltas between 2 timestamps, to decide what an acceptable limit is. Best regards, ; YUan > On Feb 13, 2015, at 5:16 PM, Christian Ruppert <id...@qasl.de> wrote: > > Hi Yuan, > > On 2015-02-12 17:39, Yuan wrote: >> Hello Experts, >> Our customer’s website has just been brought down by bots.bots >> website aware. >> base32+src can look at src + url. >> I am not good at this. I am hoping I can get some help to create the >> needed config. Can I do the below config ; >> _# Begin DDOS-Protection-Config_ >> _# Monitor the number of request sent by an IP over a period of 10 >> seconds_ >> _ stick-table type base32+src size 1m expire 10s store >> gpc0,http_req_rate(10s)_ >> _ tcp-request connection track-sc1 src_ >> _ # Refuses a new connection from an abuser_ >> _ tcp-request content reject if { src_get_gpc0 gt 0 }_ >> _ # Returns a 403 response for requests in an established connection_ >> _ http-request deny if { src_get_gpc0 gt 0 }_ >> I think this config is wrong. Any help or tips or sample config using >> base32+src possible. Maybe a Link where someone posted a sample config >> using base32+src. I have both port 80 & port 443 with port 80 rewrite >> to port 443. > > Due to lack of of time I can't help you that much but what you miss is > increasing the gpc0 counter. You should take a look at "haproxy rate > limiting" stuff, there are some good examples out there, e.g.: > http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/ > > It's also pretty easy to test with a few shells, curl and socat. > >> I had some help from Willy about using base32+src which I understood >> in theory but I am not good enough to convert that wonderful advise to >> a workable config. >> Best regards, >> ; Yuan > > -- > Regards, > Christian Ruppert