Re: TCP reject logging of request
denied connections. I use a simple 'ab' call to stress it.
This is expected, you're rejecting at the earliest possible moment, where
no logs can be produced ("tcp-request connection"). If you want to get some
logs, reject a bit later, using "tcp-request content". Note that it works
when you're in http mode because your backend's tcp-request content rule
probably matches at a lower rate than the frontend's rule. This rule however
does not match in TCP mode since there's no HTTP request.
Regards,
Willy
ok thanks i was misslead by the backend tcp-request content and forgot
the frontend tcp-request connection. Thanks a lot for this clarification !
regards,
Ghislain.
smime.p7s
Description: Signature cryptographique S/MIME
Re: TCP reject logging of request
Hi,
On Mon, Aug 12, 2013 at 04:45:42PM +0200, Ghislain wrote:
> Le 05/08/2013 10:44, Baptiste a écrit :
> >Hi Ghislain,
> >
> >To log such rejected connection please ensure you don't have the
> >"dontlognull" option enabled and you're rejecting connections using
> >the "tcp-request content" statement.
> >
> >Baptiste
>
>
> thanks for the hint ,i was using dontlognull so i just removed it and
> added the no option in the frontend
>
> I use a simple thing like this:
>
>
> frontend ft_https
> mode tcp
> no option dontlognull
> option tcplog
> bind 0.0.0.0:443
> stick-table type ip size 500k expire 30s store
> gpc0,http_req_rate(10s),conn_cur
> tcp-request connection track-sc1 src
> tcp-request connection reject if { src_get_gpc0 gt 0 } or {
> src_conn_cur ge 30 }
>
> default_backend bk_https
>
> backend bk_https
> mode tcp
> balance roundrobin
> acl abuse src_http_req_rate(ft_https) ge 200
> acl flag_abuser src_inc_gpc0(ft_https)
> tcp-request content reject if abuse flag_abuser
>
> i cannot have any log for rejects, the same version in http mode gives
> me log with the PR-- flag which is good as it indicate a reject because
> of a deny rule but in TCP mode i am unable to get any logging of the
> denied connections. I use a simple 'ab' call to stress it.
This is expected, you're rejecting at the earliest possible moment, where
no logs can be produced ("tcp-request connection"). If you want to get some
logs, reject a bit later, using "tcp-request content". Note that it works
when you're in http mode because your backend's tcp-request content rule
probably matches at a lower rate than the frontend's rule. This rule however
does not match in TCP mode since there's no HTTP request.
Regards,
Willy
Re: TCP reject logging of request
Le 05/08/2013 10:44, Baptiste a écrit :
Hi Ghislain,
To log such rejected connection please ensure you don't have the
"dontlognull" option enabled and you're rejecting connections using
the "tcp-request content" statement.
Baptiste
thanks for the hint ,i was using dontlognull so i just removed it and
added the no option in the frontend
I use a simple thing like this:
frontend ft_https
mode tcp
no option dontlognull
option tcplog
bind 0.0.0.0:443
stick-table type ip size 500k expire 30s store
gpc0,http_req_rate(10s),conn_cur
tcp-request connection track-sc1 src
tcp-request connection reject if { src_get_gpc0 gt 0 } or {
src_conn_cur ge 30 }
default_backend bk_https
backend bk_https
mode tcp
balance roundrobin
acl abuse src_http_req_rate(ft_https) ge 200
acl flag_abuser src_inc_gpc0(ft_https)
tcp-request content reject if abuse flag_abuser
i cannot have any log for rejects, the same version in http mode gives
me log with the PR-- flag which is good as it indicate a reject because
of a deny rule but in TCP mode i am unable to get any logging of the
denied connections. I use a simple 'ab' call to stress it.
regards,
Ghislain.
smime.p7s
Description: Signature cryptographique S/MIME
Re: TCP reject logging of request
Hi Ghislain, To log such rejected connection please ensure you don't have the "dontlognull" option enabled and you're rejecting connections using the "tcp-request content" statement. Baptiste On Wed, Jul 31, 2013 at 8:22 PM, Ghislain wrote: > hi list! > > I am using haproxy 1.5 to setup basic filtering, been quite some time > exceliance give the instruction to me about it but here we are moving into > puting those into production. > > The issue i have is that if i use tcp reject in my rule the reject works > fine but leave no trace at all in the logs ( i am using tcplog option). > Therefor i cannot see if it triggers and debug it easely. Is there a way to > log those rejects ? > > best regards, > Ghisalin. >
TCP reject logging of request
hi list! I am using haproxy 1.5 to setup basic filtering, been quite some time exceliance give the instruction to me about it but here we are moving into puting those into production. The issue i have is that if i use tcp reject in my rule the reject works fine but leave no trace at all in the logs ( i am using tcplog option). Therefor i cannot see if it triggers and debug it easely. Is there a way to log those rejects ? best regards, Ghisalin. smime.p7s Description: Signature cryptographique S/MIME
TCP reject logging of request
hi list! I am using haproxy 1.5 to setup basic filtering, been quite some time exceliance give the instruction to me about it but here we are moving into puting those into production. The issue i have is that if i use tcp reject in my rule the reject works fine but leave no trace at all in the logs ( i am using tcplog option). Therefor i cannot see if it triggers and debug it easely. Is there a way to log those rejects or log when a ? best regards, Ghisalin. smime.p7s Description: Signature cryptographique S/MIME
