Hi Marco,
On Wed, Dec 11, 2019 at 12:50:21PM +0100, Marco Nietz wrote:
> Hi,
>
> i'm running Haproxy 1.8.21 on a Debian 9 Box.
>
> We use stick-tables to track http-connections and http-error-rate and block
> clients (bots) that cause a high error-rate. But Today i recognize a lot of
> 400 / Bad Requests Error (~15/s) in the logs. The rate definitely exceeds
> the defined limit, but the ip-address wasn't blocked. Therefor my question,
> does HTTP-Error 400 not increase the http_err_rate Counter?
Yes it does.
> The state is CR,
> so the requests do not reach our backend-servers, but my expectation is,
> that they get blocked at the loadbalancer. The below configuration works
> fine with 404 or 401 errors.
>
> Here's a sample logfile entry:
>
> Dec 11 11:56:40 lb01 haproxy[41488]: [REDACTED]:3641
> [11/Dec/2019:11:56:40.103] production~ production/<NOSRV> -1/-1/-1/-1/98 400
> 0 - - CR-- 461/461/0/0/0 0/0 "<BADREQ>"
>
> Configuration:
>
> stick-table type ip size 5M expire 2h store
> http_req_rate(60s),http_err_rate(60s),gpt0
> http-request track-sc0 src unless { src -f /etc/haproxy/whitelist.acl }
> http-request sc-set-gpt0(0) 1 if { sc_http_err_rate(0) ge LIMIT }
> tcp-request connection reject if { src,table_gpt0(production) eq 1 }
I think I get the issue. It's just that in case of a bad request you
never reach the http-request rules since there's no HTTP request in
the first place. You should move your "track-sc0" rule to tcp-request
connection instead.
Willy
