Haproxy consulting

From: Cory Forsyth <cory.forsyth#gmail.com>
Date: Tue, 18 Oct 2011 12:39:55 -0400

Hi, my company would like to hire someone for a few hours' worth of consulting time to help us gut-check our haproxy configuration and set up.

In particular, this is what we are trying to do:

We are trying to limit connections to our server by IP address, but over a given time window for each IP. If it has connected in the last 5 minutes it is allowed to continue connecting, regardless of whether the IP limit has been reached.
If it is a new IP, it is only allowed if the number of other IPs is below the limit. So if an IP gets "in", as long as it continues to connect at least once every 5 minutes it will always be allowed to continue connecting.

I have set something up to do this using a secondary process to check the haproxy stick-table (via socat) for the number of entries (and the entries are tracked by IP and expired after 5minutes), and if the number of entries is greater than the limit this shuts down a Sinatra ruby app that is configured as a backend in haproxy's config...and the configured frontend has an ACL that checks whether that backend is down when deciding if it can allow in a new IP.

We'd like some expert eyes to look over this setup and suggest alternatives or improvements, and also suggestions for how to load test this setup to make sure it will work well at scale.

Cory Received on 2011/10/18 18:39

This archive was generated by hypermail 2.2.0 : 2011/10/18 18:45 CEST