Re: Using ratelimit as shown on serverfault.com

From: Willy Tarreau <w#1wt.eu>
Date: Sun, 12 Sep 2010 21:27:59 +0200


Hi Matt,

On Wed, Sep 08, 2010 at 06:17:53PM +0100, Matt wrote:
> Okay, think I found it:
>
> - acl source_is_abuser src_get_gpc0(http) gt 0
> + acl source_is_abuser sc1_get_gpc0(http) gt 0

in your case it should not change anything. Keep in mind that the "tcp-request" rules are evaluated well before the use_backend rules, so for better readability, you should switch them :

        stick-table type ip size 200k expire 10m store gpc0         acl source_is_abuser src_get_gpc0(http) gt 0         tcp-request connection track-sc1 src if ! source_is_abuser         use_backend error if source_is_abuser

        acl apache_01 hdr_sub(host) -i example.com         use_backend webserver if apache_01

Then you see that in both cases, the use_backend rule has both the source ("src") or the tracking pointer ("sc1") available. In my opinion even the initial config ought to work.

Regards,
Willy

> On 8 September 2010 17:56, Matt <mattmoran76#gmail.com> wrote:
> > Hi guys,
> >
> > I'm trying out the rate limit feature in 1.5-dev2.  My config is
> > below.  It appears to work in the sense that after the limit the
> > connection is dropped, but I actually want the connection to go to the
> > error backend, rather than the webserver backend and get dropped.  I'm
> > guessing my logic in the frontend config is wrong rather than it being
> > a bug.
> >
> > Thanks,
> >
> > Matt
> >
> > defaults
> >        mode   http
> >        option  httplog
> >        option  log-separate-errors
> >        option  httpchk HEAD /available HTTP/1.0
> >        monitor-uri /haproxy_test
> >        option  allbackups
> >        http-check disable-on-404
> >        retries         3
> >        option  redispatch
> >        maxconn         2000
> >        timeout connect 5s
> >        timeout client  60s
> >        timeout server  60s
> >        timeout http-request 10s
> >        timeout http-keep-alive 2s
> >        timeout check 10s
> > frontend ha-01-apache *:80
> >        log 127.0.0.1:516   local0 info
> >        option http-pretend-keepalive
> >
> >        stick-table type ip size 200k expire 10m store gpc0
> >        acl source_is_abuser src_get_gpc0(http) gt 0
> >        use_backend error if source_is_abuser
> >        tcp-request connection track-sc1 src if ! source_is_abuser
> >
> >        acl apache_01 hdr_sub(host) -i example.com
> >        use_backend webserver if apache_01
> > backend webserver
> >        log 127.0.0.1:516   local0 info
> >        option http-server-close
> >
> >        stick-table type ip size 200k expire 30s store conn_rate(100s)
> >        tcp-request content track-sc2 src
> >        acl conn_rate_abuse sc2_conn_rate gt 5
> >        acl mark_as_abuser sc1_inc_gpc0 gt 0
> >        tcp-request content reject if conn_rate_abuse mark_as_abuser
> >
> >        server apache 127.0.0.1:81 check inter 15s rise 2 fall 2
> > backend error
> >        errorfile 503 /etc/haproxy/errorfiles/503.http
> >
>
Received on 2010/09/12 21:27

This archive was generated by hypermail 2.2.0 : 2010/09/12 21:30 CEST