Hi Christian,
I read the link just now and I am so very thankful that you helped.
I was suspecting that conn_rate is to be used but I was following another blog.
I need one more help. Can you briefly describe how you arrive at the numbers
for limitations. I seem to have no sure-shot way of getting it right first and
then changing a live server’s configuration. Should I just be looking at the
deltas between 2 timestamps, to decide what an acceptable limit is.
Best regards,
; YUan
> On Feb 13, 2015, at 5:16 PM, Christian Ruppert <id...@qasl.de> wrote:
>
> Hi Yuan,
>
> On 2015-02-12 17:39, Yuan wrote:
>> Hello Experts,
>> Our customer’s website has just been brought down by bots.bots
>> website aware.
>> base32+src can look at src + url.
>> I am not good at this. I am hoping I can get some help to create the
>> needed config. Can I do the below config ;
>> _# Begin DDOS-Protection-Config_
>> _# Monitor the number of request sent by an IP over a period of 10
>> seconds_
>> _ stick-table type base32+src size 1m expire 10s store
>> gpc0,http_req_rate(10s)_
>> _ tcp-request connection track-sc1 src_
>> _ # Refuses a new connection from an abuser_
>> _ tcp-request content reject if { src_get_gpc0 gt 0 }_
>> _ # Returns a 403 response for requests in an established connection_
>> _ http-request deny if { src_get_gpc0 gt 0 }_
>> I think this config is wrong. Any help or tips or sample config using
>> base32+src possible. Maybe a Link where someone posted a sample config
>> using base32+src. I have both port 80 & port 443 with port 80 rewrite
>> to port 443.
>
> Due to lack of of time I can't help you that much but what you miss is
> increasing the gpc0 counter. You should take a look at "haproxy rate
> limiting" stuff, there are some good examples out there, e.g.:
> http://brokenhaze.com/blog/2014/03/25/how-stack-exchange-gets-the-most-out-of-haproxy/
>
> It's also pretty easy to test with a few shells, curl and socat.
>
>> I had some help from Willy about using base32+src which I understood
>> in theory but I am not good enough to convert that wonderful advise to
>> a workable config.
>> Best regards,
>> ; Yuan
>
> --
> Regards,
> Christian Ruppert
