Hi Christopher
I tried your rule and it did not compile, but I am trying to understand it.
/haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit'
condition : no such ACL : 'http-response'
I placed the rule in the frontend, but was thinking if it should be in the
backend, as it is here server is called and hereby produce the return code.
I understand the idea in your rule, but at the same time, I do not understand
the order of execution.
It looks like it has to be executed from the right with the " if {
capture.req.uri -m beg /login } { status 401 }" first.
But then what?
If I understand correctly
1) You save the request url in a table with capture.req.uri.
2) Then server try to execute the url
3) Based on the server return the http-response (this part I have not fully
understand yet)
4) If the response is 401 then " http-request tarpit deny_status 429"
I will try to work a little more with you suggestion and see if I can get to
work.
Regards
Henning
haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit'
condition : no such ACL : 'http-response'.
-Oprindelig meddelelse-
Fra: Christopher Faulet
Sendt: 2. marts 2022 09:06
Til: haproxy@formilux.org
Emne: Re: Incompatible with 'frontend http-request header rule'
Le 3/1/22 à 22:00, Henning Svane a écrit :
> http-request track-sc0 src table table_login_limiter if { url_beg
> /login } { status 401 }
>
> http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 10 } {
> url_beg /login }
>
Hi,
You cannot match on the response status in a request rule. At this stage, the
response is not received yet. So, you should rely on an http-response rule
instead. But, at this stage, url_beg is no longer available because the request
was already sent. You must use capture.req.uri instead.
In addition, because the tracking will be performed during the response
evaluation, you must use table_http_req_rate() converter to look up in your
stick-table. (Note that in your tarpit rule, you must explicitly specify the
table name)
You can try the following rules :
http-request tarpit deny_status 429 if {
src,table_http_req_rate(table_login_limiter) gt 10 } { url_beg /login }
http-response track-sc0 src table table_login_limiter if { capture.req.uri -m
beg /login } { status 401 }
You can also match on the url in an http-request rule to set a variable and use
it in the http-response rule.
Regards,
--
Christopher Faulet