Hi,
I am using latest haproxy with EC2 elastic load balancer configured to
proxy TCP:443 <-> TCP:443 to support HTTP2. PROXY protocol is enabled to
get original IP address.
IP rate limiting is done using following config:
frontend fe_http
bind *:443 accept-proxy ssl crt ... no-sslv3 alpn h2,http/1.1
stick-table type ip size 256k expire 10s store http_req_rate(10s)
tcp-request inspect-delay 5s
# Must use "content" because of PROXY protocol.
tcp-request content track-sc0 src
acl check_http_req_rate sc0_http_req_rate ge 256
tcp-request content reject if check_http_req_rate
use_backend be_429_slow_down if check_http_req_rate
backend be_429_slow_down
errorfile 503 /etc/haproxy/errors/429.http
It works and is helpful until some point when haproxy consumes 100% CPU on
1 of 4 available cores and requests start failing. It can be that I need
better/more hardware, but I wonder if there is anything I can improve in my
config to lower CPU usage? Thanks in advance.
