Hello Cyril,
Thank you for the reply!
My current config for rate limiting is:
tcp-request content track-sc0 src
stick-table type ip size 500k expire 30s store
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
tcp-request content reject if { src -f /etc/haproxy/blacklist.lst }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]whitelisted, if { src -f
/etc/haproxy/whitelist.lst }
http-request allow if { src -f /etc/haproxy/whitelist.lst }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-100-active-connections, if { src_conn_cur ge
100 }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
src_conn_rate gt 3 }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]high-error-rate, if { sc0_http_err_rate() gt 100 }
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]high-request-rate, if { sc0_http_req_rate() gt 500
}
Won't it be affected if I make the change according to your suggestion?
Particularly, I'm worrying about http_err_rate and http_req_rate counters.
Wednesday, July 20, 2016, 1:33:53 AM, you wrote:
> Hi,
> Le 18/07/2016 à 11:30, hapr...@abisoft.biz a écrit :
>> Hello,
>>
>> I have a sticky table for ip checks against high connection rate (for
>> testing purposes it's set now to 3 connections in 10 seconds):
>>
>> frontend lb-useast
>> ...
>> tcp-request content track-sc0 src
>> stick-table type ip size 500k expire 30s store
>> conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
>> http-request add-header X-Haproxy-ACL
>> %[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
>> src_conn_rate gt 3 }
>> ...
>> default_backend logger
>>
>> backend logger
>> server localhost localhost:55555 send-proxy
>>
>> frontend logger
>> ...
>> acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted,
>> acl fail-validation req.fhdr(X-Haproxy-ACL) -m found
>> http-request deny if !whitelisted fail-validation
>> ...
>>
>> When I run 3 curl requests in a row, the table shows there were 5
>> connections with 1 failed:
>> # echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats
>> # table: lb-useast, type: ip, size:512000, used:1
>> 0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(10000)=5 conn_cur=0
>> http_req_rate(10000)=3 http_err_rate(10000)=1
> After doing some tests, indeed, it appears that with mode http and a
> frontend/backend, conn_rate counters are incremented twice (before and
> after).
>>
>> The curl command is pretty straightforward:
>> for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null;
>> echo $i; done
> With this loop, conn_rate will be 1, then 3, then 5.
> I couldn't spend more time on the issue and won't have much time for it
> next days, but you can try a workaround, by replacing tcp-request
> content with tcp-request connection :
> tcp-request connection track-sc0 src
>>
>> How does haproxy count connections, so it gets 5 instead of 3?
>>
>> PS haproxy version is 1.5.4
--
Best regards,
Alex
