Hello! I use HAProxy in front of a web app / service and I would like to add DDoS protection and rate limiting. The problem is that each part of the application has different request rates and for some customers we must accept very hight request rates and burst, while this is not allowed for unauthenticated users for example. So I was thinking about this solution:
1. Based on advanced conditions (e.g. current user) our Rails application decides whether to return a normal response (e.g. 2xx) or a 429 (Too Many Requests); it can also return other errors, like 401 2. HAProxy bans clients if they produce too many 4xx errors What do you think about this solution? Also, is it correct to use HAProxy directly or it is more performant to use fail2ban on HAProxy logs? This is the HAProxy configuration that I would like to use: frontend www-frontend tcp-request connection reject if { src_http_err_rate(st_abuse) ge 5 } http-request track-sc0 src table st_abuse ... default_backend www-backend backend www-backend ... backend st_abuse stick-table type ipv6 size 1m expire 10s store http_err_rate(10s) Do you think that the above rules are correct? Am I missing something? Also, is it correct to mix *tcp*-request and src_*http*_err_rate in the frontend? Is it possible to include only the 4xx errors (and not 5xx) in http_err_rate? Any suggestion would be greatly appreciated Thank you Marco Colli