I sniffed the traffic on haproxy and the requests looks fine:
GET /php-sleep.php?43 HTTP/1.1
User-Agent: curl/7.35.0
Host: kms.example.org
Accept: */*
X-Forwarded-For: 123.149.124.91
HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 34
Accept-Ranges: bytes
Date: Tue, 14 Apr 2015 07:03:40 GMT
X-Varnish: 2130622187 2130622186
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: HIT
X-Varnish-Cache-Hits: 1
Finish<br><br>Slept for 43 seconds
but while the requests are running the table is empty:
# table: kms-ds-nocache, type: ip, size:102400, used:0
Klavs Klavsen wrote on 04/14/2015 08:49 AM:
Hi Baptiste,
Thank you very much for your help.
Unfortunately it didn't work.. I tried this:
frontend kms-ds-nocache
bind x.x.x.x:80
mode http
balance roundrobin
default_backend kms-ds-backend
option httplog
option accept-invalid-http-request
stick-table type ip size 100k expire 30s store conn_cur
tcp-request content accept if HTTP
tcp-request content reject if { sc1_conn_cur ge 2 }
tcp-request content track-sc1 hdr(X-Forwarded-For)
tcp-request inspect-delay 5s
and I was still able to have 5 connections.. (I call a php script, using
curl which sleeps for 40 seconds :)
Baptiste wrote on 04/09/2015 11:28 PM:
Hi Klavs,
Please give a try to the configuration below:
frontend nocache
mode http
..
option httplog
option accept-invalid-http-request
stick-table type ip size 100k expire 30s store conn_cur
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
tcp-request content track-sc1 hdr(X-Forwarded-For)
tcp-request content reject if { sc1_conn_cur ge 10 }
'tcp-request connection' is executed when the connection has just
arrived into HAProxy. So the header X-Forwarded-For might not yet be
read already.
the conf above uses the 'tcp-request content' instead, and to be sure
we'll find the header, I've added the inspect delay which accept the
request once the buffer is confirmed to contain HTTP.
Baptiste
On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen <k...@vsen.dk> wrote:
Back from easter vacation :)
Baptiste wrote on 03/25/2015 10:30 AM:
Hi,
some useful examples can be taken from this blog post:
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
Just replace src by hdr(X-Forwarded-For).
Tried:
frontend nocache
mode http
..
option httplog
option accept-invalid-http-request
stick-table type ip size 100k expire 30s store conn_cur
tcp-request connection reject if { src_conn_cur ge 10 }
tcp-request connection track-sc1 hdr(X-Forwarded-For)
..
but haproxy complains:
'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)'
extracts information from 'HTTP request headers,HTTP response
headers', none
of which is available here
I took the example from
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
:(
--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer