John, Am 19.11.20 um 06:57 schrieb John Lauro: > A couple of possible options... > You could use tcp-request inspect-delay to delay the response a number of > seconds (and accept it quick if legitimate traffic).
I believe the tcp-(request|response) rules only apply to the very first buffer of a single TCP connection and thus do not apply here. Let me give an example of what I want to do. 1) Client connects 2) Client performs TLS handshake 3) Client sends HTTP request 4) Server sends response 5) Client sends HTTP request over the same connection (H1 keep-alive / H2). tcp-request / tcp-response does not apply here. 6) Server sends response 7) Repeat steps 4 and 5. If I start detecting unusual request rates for the client I would like to piggy back a clean (!) close onto step 6, forcing the client to perform steps 1 and 2 again. > You could use redirects which will have the clients do more requests > (Possibly with the inspect delays). Redirects do not play well with POST requests and they are very cheap on keep-alive connections. The costly part is the TLS handshake. > That said, it would be useful to force a client connection closed at times, > but there are ways to protect the backends and slow some clients without > completely blocking them. I went ahead and filed a feature request in the tracker now: https://github.com/haproxy/haproxy/issues/969 Thanks for the suggestions to both of you :-) Best regards Tim Düsterhus Developer WoltLab GmbH -- WoltLab GmbH Nedlitzer Str. 27B 14469 Potsdam Tel.: +49 331 96784338 duester...@woltlab.com www.woltlab.com Managing director: Marcel Werk AG Potsdam HRB 26795 P