Hi all,
I've pored over the Configuration Manual again and again, and I'm
still struggling to fully understand sticky counters. This paragraph
seems to hold some important information:
Once a "track-sc*" rule is executed, the key is looked up in the table
and if it is not found, an entry is allocated for it. Then a pointer to
that entry is kept during all the session's life, and this entry's
counters are updated as often as possible, every time the session's
counters are updated, and also systematically when the session ends.
Counters are only updated for events that happen after the tracking has
been started. As an exception, connection counters and request counters
are systematically updated so that they reflect useful
information.
It seems that one of the key concepts here is "session". I'm assuming
that this actually means "TCP session", as in layer 5 of the OSI
model; is that correct? Unfortunately there is nowhere in the manual
which explicitly states this definition, despite countless uses of the
term, but there are some hints scattered around, e.g. in the
"tcp-request session" section:
Once a session is validated, (ie. after all handshakes have been completed),
and in the "reject" part of the "tcp-request connection" section.
It seems that each session can have a maximum of three entries
associated with it in stick-tables, because there is a maximum of 3
sets of sticky counters per connection. And these entries could
potentially be in 1, 2, or 3 different stick-tables, depending on
where and how the track-scX directive is written, right?
Thirdly, I'm struggling to understand these examples:
Example: accept all connections from white-listed hosts, reject too fast
connection without counting them, and track accepted connections.
This results in connection rate being capped from abusive sources.
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
tcp-request connection reject if { src_conn_rate gt 10 }
tcp-request connection track-sc0 src
Example: accept all connections from white-listed hosts, count all other
connections and reject too fast ones. This results in abusive ones
being blocked as long as they don't slow down.
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
tcp-request connection track-sc0 src
tcp-request connection reject if { sc0_conn_rate gt 10 }
The stick-table directives are missing, but my experiments suggest
that not only they are mandatory, but also they must track conn_rate
samples, otherwise HAProxy has no way to know the duration of the
sliding time window which the connection rate relates to, and nothing
will get rejected. So I think the examples should include those
directives for clarity. When I added this, it worked for me:
stick-table type ip size 100k store conn_rate(30s)
Furthermore, I don't understand the explanation text which says
"without counting them". If they're not counted, how can the
connection rate be measured? So what is the real difference between
these two examples?
I'd be really grateful for any light which can be shed here. I'm
normally pretty good at inhaling large, complex technical manuals, but
I've really been struggling with HAProxy's for some reason :-/
Thanks!
Adam
