SV: Incompatible with 'frontend http-request header rule'

2022-03-03 Thread Henning Svane 
Hi Christopher

I tried your rule and it did not compile, but I am trying to understand it.
/haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' 
condition : no such ACL : 'http-response'
I placed the rule in the frontend, but was thinking if it should be in the 
backend, as it is here server is called and hereby produce the return code.

I understand the idea in your rule, but at the same time, I do not understand 
the order of execution.
It looks like it has to be executed from the right with the " if { 
capture.req.uri -m beg /login } { status 401 }" first.
But then what?

If I understand correctly 
1) You save the request url in a table with capture.req.uri.
2) Then server try to execute the url
3) Based on the server return the http-response (this part I have not fully 
understand yet)
4) If the response is 401 then " http-request tarpit deny_status 429"

I will try to work a little more with you suggestion and see if I can get to 
work.

Regards
Henning


haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' 
condition : no such ACL : 'http-response'.

-Oprindelig meddelelse-
Fra: Christopher Faulet  
Sendt: 2. marts 2022 09:06
Til: haproxy@formilux.org
Emne: Re: Incompatible with 'frontend http-request header rule'

Le 3/1/22 à 22:00, Henning Svane a écrit :
> http-request track-sc0 src table table_login_limiter if { url_beg 
> /login } { status 401 }
> 
> http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 10 } { 
> url_beg /login }
> 

Hi,

You cannot match on the response status in a request rule. At this stage, the 
response is not received yet. So, you should rely on an http-response rule 
instead. But, at this stage, url_beg is no longer available because the request 
was already sent. You must use capture.req.uri instead.

In addition, because the tracking will be performed during the response 
evaluation, you must use table_http_req_rate() converter to look up in your 
stick-table. (Note that in your tarpit rule, you must explicitly specify the 
table name)

You can try the following rules :

http-request tarpit deny_status 429 if { 
src,table_http_req_rate(table_login_limiter) gt 10 } { url_beg /login } 
http-response track-sc0 src table table_login_limiter if { capture.req.uri -m 
beg /login } { status 401 }

You can also match on the url in an http-request rule to set a variable and use 
it in the http-response rule.

Regards,
--
Christopher Faulet

Always add "reason"

2022-03-03 Thread Marco Corte 

Hi!

I can add a "reason phrase" to a response based on the HTTP status like 
this:


http-response set-status 200 reason OK if { status eq 200 }

Is there any way to add the reason phrase for a set of codes without an 
explicit rule for each code?

I would like to write a set of rules like this

http-response set-status 200 reason OK if { status eq 200 }
http-response set-status %[status] reason NotOK unless { status eq 200 }

Thank you

.marcoc

Re: Is there some kind of program that mimics a problematic HTTP server?

2022-03-03 Thread Lukas Tribus 
Hello,

take a look at how we are using tests with vtc/vtest in
doc/regression-testing.txt.

Maybe this tool can be useful for your use-case.


Lukas