Re: TCP reject logging of request
denied connections. I use a simple 'ab' call to stress it. This is expected, you're rejecting at the earliest possible moment, where no logs can be produced ("tcp-request connection"). If you want to get some logs, reject a bit later, using "tcp-request content". Note that it works when you're in http mode because your backend's tcp-request content rule probably matches at a lower rate than the frontend's rule. This rule however does not match in TCP mode since there's no HTTP request. Regards, Willy ok thanks i was misslead by the backend tcp-request content and forgot the frontend tcp-request connection. Thanks a lot for this clarification ! regards, Ghislain. smime.p7s Description: Signature cryptographique S/MIME
Re: TCP reject logging of request
Hi, On Mon, Aug 12, 2013 at 04:45:42PM +0200, Ghislain wrote: > Le 05/08/2013 10:44, Baptiste a écrit : > >Hi Ghislain, > > > >To log such rejected connection please ensure you don't have the > >"dontlognull" option enabled and you're rejecting connections using > >the "tcp-request content" statement. > > > >Baptiste > > > thanks for the hint ,i was using dontlognull so i just removed it and > added the no option in the frontend > > I use a simple thing like this: > > > frontend ft_https > mode tcp > no option dontlognull > option tcplog > bind 0.0.0.0:443 > stick-table type ip size 500k expire 30s store > gpc0,http_req_rate(10s),conn_cur > tcp-request connection track-sc1 src > tcp-request connection reject if { src_get_gpc0 gt 0 } or { > src_conn_cur ge 30 } > > default_backend bk_https > > backend bk_https > mode tcp > balance roundrobin > acl abuse src_http_req_rate(ft_https) ge 200 > acl flag_abuser src_inc_gpc0(ft_https) > tcp-request content reject if abuse flag_abuser > > i cannot have any log for rejects, the same version in http mode gives > me log with the PR-- flag which is good as it indicate a reject because > of a deny rule but in TCP mode i am unable to get any logging of the > denied connections. I use a simple 'ab' call to stress it. This is expected, you're rejecting at the earliest possible moment, where no logs can be produced ("tcp-request connection"). If you want to get some logs, reject a bit later, using "tcp-request content". Note that it works when you're in http mode because your backend's tcp-request content rule probably matches at a lower rate than the frontend's rule. This rule however does not match in TCP mode since there's no HTTP request. Regards, Willy
Re: TCP reject logging of request
Le 05/08/2013 10:44, Baptiste a écrit : Hi Ghislain, To log such rejected connection please ensure you don't have the "dontlognull" option enabled and you're rejecting connections using the "tcp-request content" statement. Baptiste thanks for the hint ,i was using dontlognull so i just removed it and added the no option in the frontend I use a simple thing like this: frontend ft_https mode tcp no option dontlognull option tcplog bind 0.0.0.0:443 stick-table type ip size 500k expire 30s store gpc0,http_req_rate(10s),conn_cur tcp-request connection track-sc1 src tcp-request connection reject if { src_get_gpc0 gt 0 } or { src_conn_cur ge 30 } default_backend bk_https backend bk_https mode tcp balance roundrobin acl abuse src_http_req_rate(ft_https) ge 200 acl flag_abuser src_inc_gpc0(ft_https) tcp-request content reject if abuse flag_abuser i cannot have any log for rejects, the same version in http mode gives me log with the PR-- flag which is good as it indicate a reject because of a deny rule but in TCP mode i am unable to get any logging of the denied connections. I use a simple 'ab' call to stress it. regards, Ghislain. smime.p7s Description: Signature cryptographique S/MIME
Re: TCP reject logging of request
Hi Ghislain, To log such rejected connection please ensure you don't have the "dontlognull" option enabled and you're rejecting connections using the "tcp-request content" statement. Baptiste On Wed, Jul 31, 2013 at 8:22 PM, Ghislain wrote: > hi list! > > I am using haproxy 1.5 to setup basic filtering, been quite some time > exceliance give the instruction to me about it but here we are moving into > puting those into production. > > The issue i have is that if i use tcp reject in my rule the reject works > fine but leave no trace at all in the logs ( i am using tcplog option). > Therefor i cannot see if it triggers and debug it easely. Is there a way to > log those rejects ? > > best regards, > Ghisalin. >
TCP reject logging of request
hi list! I am using haproxy 1.5 to setup basic filtering, been quite some time exceliance give the instruction to me about it but here we are moving into puting those into production. The issue i have is that if i use tcp reject in my rule the reject works fine but leave no trace at all in the logs ( i am using tcplog option). Therefor i cannot see if it triggers and debug it easely. Is there a way to log those rejects ? best regards, Ghisalin. smime.p7s Description: Signature cryptographique S/MIME
TCP reject logging of request
hi list! I am using haproxy 1.5 to setup basic filtering, been quite some time exceliance give the instruction to me about it but here we are moving into puting those into production. The issue i have is that if i use tcp reject in my rule the reject works fine but leave no trace at all in the logs ( i am using tcplog option). Therefor i cannot see if it triggers and debug it easely. Is there a way to log those rejects or log when a ? best regards, Ghisalin. smime.p7s Description: Signature cryptographique S/MIME