SV: Incompatible with 'frontend http-request header rule'

Thu, 03 Mar 2022 15:43:24 -0800 

Hi Christopher

I tried your rule and it did not compile, but I am trying to understand it.
/haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' 
condition : no such ACL : 'http-response'
I placed the rule in the frontend, but was thinking if it should be in the 
backend, as it is here server is called and hereby produce the return code.

I understand the idea in your rule, but at the same time, I do not understand 
the order of execution.
It looks like it has to be executed from the right with the " if { 
capture.req.uri -m beg /login } { status 401 }" first.
But then what?

If I understand correctly 
1) You save the request url in a table with capture.req.uri.
2) Then server try to execute the url
3) Based on the server return the http-response (this part I have not fully 
understand yet)
4) If the response is 401 then " http-request tarpit deny_status 429"

I will try to work a little more with you suggestion and see if I can get to 
work.

Regards
Henning


haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' 
condition : no such ACL : 'http-response'.

-----Oprindelig meddelelse-----
Fra: Christopher Faulet <cfau...@haproxy.com> 
Sendt: 2. marts 2022 09:06
Til: haproxy@formilux.org
Emne: Re: Incompatible with 'frontend http-request header rule'

Le 3/1/22 à 22:00, Henning Svane a écrit :
> http-request track-sc0 src table table_login_limiter if { url_beg 
> /login } { status 401 }
> 
> http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 10 } { 
> url_beg /login }
> 

Hi,

You cannot match on the response status in a request rule. At this stage, the 
response is not received yet. So, you should rely on an http-response rule 
instead. But, at this stage, url_beg is no longer available because the request 
was already sent. You must use capture.req.uri instead.

In addition, because the tracking will be performed during the response 
evaluation, you must use table_http_req_rate() converter to look up in your 
stick-table. (Note that in your tarpit rule, you must explicitly specify the 
table name)

You can try the following rules :

http-request tarpit deny_status 429 if { 
src,table_http_req_rate(table_login_limiter) gt 10 } { url_beg /login } 
http-response track-sc0 src table table_login_limiter if { capture.req.uri -m 
beg /login } { status 401 }

You can also match on the url in an http-request rule to set a variable and use 
it in the http-response rule.

Regards,
--
Christopher Faulet

Reply via email to