Hello!
I use HAProxy in front of a web app / service and I would like to add DDoS
protection and rate limiting. The problem is that each part of the
application has different request rates and for some customers we must
accept very hight request rates and burst, while this is not allowed for
unauthenticated users for example. So I was thinking about this solution:
1. Based on advanced conditions (e.g. current user) our Rails application
decides whether to return a normal response (e.g. 2xx) or a 429 (Too Many
Requests); it can also return other errors, like 401
2. HAProxy bans clients if they produce too many 4xx errors
What do you think about this solution?
Also, is it correct to use HAProxy directly or it is more performant to use
fail2ban on HAProxy logs?
This is the HAProxy configuration that I would like to use:
frontend www-frontend
tcp-request connection reject if { src_http_err_rate(st_abuse) ge 5 }
http-request track-sc0 src table st_abuse
...
default_backend www-backend
backend www-backend
...
backend st_abuse
stick-table type ipv6 size 1m expire 10s store http_err_rate(10s)
Do you think that the above rules are correct? Am I missing something?
Also, is it correct to mix *tcp*-request and src_*http*_err_rate in the
frontend?
Is it possible to include only the 4xx errors (and not 5xx) in
http_err_rate?
Any suggestion would be greatly appreciated
Thank you
Marco Colli
