Hi Jarno and Marco,
Thank you for responding. Came up with based on the inputs:
#printf "as2monte" | mkpasswd --stdin --method=md5
userlist AuthUsers_MONTE_AS2
user appuser_as2 password $1$t25fZ7Oe$bjthsMcXgbCt2EJvQo8r0/
backend st_src_as2_monte
stick-table type string len 64 size 1000 expire 1s store
http_req_rate(1s)
frontend scef
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /etc/ssl/private/as1.pem
mode http
#option httpclose
option forwardfor
acl monte_as2_api_url url_beg /api/v1/monitoring-event/A000002/
#500 requests per second.
acl monte_as2_exceeds_limit src_http_req_rate(st_src_as2_monte) gt 500
http-request track-sc1 src table st_src_as2_monte unless
monte_as2_exceeds_limit
http-request deny deny_status 429 if monte_as2_api_url
monte_as2_exceeds_limit
http-request auth realm basicauth if monte_as2_api_url
!authorized_monte_as2
use_backend nodes
With this config I was able to rate limit per url basis.
Thanks
badari
On Tue, Feb 19, 2019 at 10:01 PM Jarno Huuskonen <jarno.huusko...@uef.fi>
wrote:
> Hi,
>
> On Mon, Feb 11, Badari Prasad wrote:
> > I want to rate limit based on url
> > [/api/v1/monitoring-event/A000001, /api/v1/client1/transfer_data,
> > /api/v1/client2/transfer_data ] no matter what the source ip address
> is.
>
> Something like this might help you. Unfortunately at the moment
> I don't have time to create a better example.
>
> acl api_a1 path_beg /a1
> acl api_b1 path_beg /b1
> acl rate_5 sc0_http_req_rate(test_be) gt 5
> acl rate_15 sc0_http_req_rate(test_be) gt 15
>
> # You might want to add acl so you'll only track paths you're
> # interested in.
> http-request track-sc0 path table test_be
> # if you want to track only /a1 /b1 part of path
> # you can use for example field converter:
> #http-request track-sc0 path,field(1,/,2) table test_be
> #http-request set-header X-Rate %[sc0_http_req_rate(test_be)]
>
> http-request deny deny_status 429 if api_a1 rate_5
> http-request deny deny_status 403 if api_b1 rate_15
>
> # adjust len and size etc. to your needs
> backend test_be
> stick-table type string len 40 size 20 expire 180s store
> http_req_rate(60s)
>
> -Jarno
>
> > On Mon, Feb 11, 2019 at 7:34 PM Jarno Huuskonen <jarno.huusko...@uef.fi>
> > wrote:
> >
> > > Hi,
> > >
> > > On Mon, Feb 11, Badari Prasad wrote:
> > > > Thank you for the response. I came up with my own haproxy cfg,
> where
> > > i
> > > > would want to rate limit based on event name and client id in url.
> > > > URL ex : /api/v1/<event_name>/<clientid>
> > > >
> > > > Have attached a file for my haproxy cfg. But it does not seems to be
> > > rate
> > > > limiting the incoming requests.
> > >
> > > > backend st_src_monte
> > > > stick-table type string size 1m expire 10s store
> http_req_rate(10s)
> > > > ...
> > > >
> > > > acl monte_as1_exceeds_limit src_http_req_rate(st_src_as1_monte)
> gt 990
> > > > acl monte_in_limit src_http_req_rate(st_src_as1_monte) lt 1000
> > > > http-request track-sc0 src table st_src_as1_monte
> > >
> > > There's no st_src_as1_monte table in your example config, there's
> > > st_src_monte table.
> > >
> > > > http-request deny deny_status 429 if { path_beg
> > > /api/v1/monitoring-event/A000001 AND monte_as1_exceeds_limit }
> > >
> > > You're tracking connections with src, but the stick table is type
> string,
> > > have you checked from admin socket that the stick table has entries,
> > > something like:
> > > echo 'show table st_src_monte' | nc -U /var/lib/haproxy/stats
> > > (insted of nc -U, socat stdio /var/lib/haproxy/stats should also work).
> > >
> > > If you want to track src ip, then stick-table type ip or ipv6 is
> > > probably better.
> > >
> > > >> I would want to configure 1000 tps for url
> > > /api/v1/client1/transfer_data or
> > > >> 500 tps for /api/v1/client2/user_data and so on....
> > >
> > > Do you mean that only 1000 tps goes to
> > > /api/v1/client1/transfer_data (no matter what the source ip addresses
> > > are) or each source ip can send 1000 tps to
> /api/v1/client1/transfer_data ?
>
> --
> Jarno Huuskonen
>
