Can I perhaps do something like: tcp-request content track-sc2 hdr(X-Forwarded-For) acl conn_limit_hit sc2_conn_cur gt 2
? Klavs Klavsen wrote on 03/24/2015 01:11 PM:
Hi, We would like to limit how many connections a given IP can send to our backend. Our setup is like this: haproxy -> varnish -> haproxy -> webservers and we'd like to have the frontend behind varnish (we call it nocache :) limit concurrent connections any IP can have.. (to 1 or 2 is the idea).. I've googled and read.. and it seems stick-table should be used.. My current setup looks something like this (based/stolen from http://fotoarkiv.com/wordpress/limiting-the-number-of-active-users-on-a-site-using-haproxy/ ): frontend nocache .. #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout stick-table type ip size 30 expire 5m store gpc0 #populate the table with the X-Forwarded-For header stick store-request hdr(X-Forwarded-For) #allow new users if we have more than 1 available slot in the stick table acl allowed table_avl(nocache) gt 1 #if not allowed above, go away block unless allowed but it looks for "available slots in stick-table".. I'd like to simply block if the ip already has more than 2 connections.. I figured I could use src_conn_cnt.. but I need it to use the ip in X-Forwarded-For.. How can I do that? Thank you in advance
-- Regards, Klavs Klavsen, GSEC, kl...@enableit.dk - Tlf. +45 612 812 00 EnableIT - Open Source Server, Security and Network Consulting "Open Source Software - Sometimes you get more than you paid for."