My bad, most likely.
After killing haproxy process completely -instead of just config
reloads-, and restarting it, problem can't be reproduced anymore
without rate limiting config.
So most likely it was simply rejecting the request where it seemed to
be serving 'random' blank pages due to config not being reloaded
properly.
Number of denied reqs in the stats is 0 all along though. Bug?
Let me mod the question then though:
All I'm trying to achieve is a simple rate limiting config against
(d)dos attacks.
Need to:
- Serve custom 503 page when client is banned (never give blank page)
- Ban with over 30reqs/10secs, temp ban for 10mins then
Based on "better rate limiting" and docs, I came up with the config
below, but problem is, the rate limiting does not take place with
"use_backend ease-up if conn_rate_abuse mark_as_abuser" in the
backend, while it does _reject_ the page if I use "tcp-request content
reject if conn_rate_abuse mark_as_abuser" in there (but I need custom
503 as stated above).
By the way: to achieve this with as simple config as possible, could 2
stick-tables config be put under a single listen block (don't need
separate frontend/backend blocks for anything but this)?
So the config is as follows:
global
log 127.0.0.1 daemon debug
maxconn 1024
chroot /var/chroot/haproxy
uid 99
gid 99
daemon
quiet
pidfile /var/run/haproxy-private2.pid
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
retries 3
maxconn 3000
contimeout 4000
clitimeout 1000
srvtimeout 200000
stats enable
stats scope MyHost-webfarm
stats uri /secretadmin?stats
stats realm Haproxy\ Statistics
stats auth user:pass
frontend MyHost-webfarm 82.136.111.111:8011
option forwardfor
default_backend works
contimeout 6000
clitimeout 2000
errorfile 503 /usr/local/etc/503error.html
### (d)dos protection ###
# check master 'banned' table first
stick-table type ip size 200k expire 10m store gpc0
acl source_is_abuser src_get_gpc0(http) gt 0
use_backend ease-up if source_is_abuser
tcp-request connection track-sc1 src if ! source_is_abuser
backend works
option httpchk /!healthcheck.php
option httpclose
balance roundrobin
server myserv1 192.168.0.4:80 check inter 5000 rise 2 fall 3
server myserv2 192.168.0.3:80 check inter 5000 rise 2 fall 3
stick-table type ip size 200k expire 1m store conn_rate(10s)
# values below are specific to the backend
tcp-request content track-sc2 src
acl conn_rate_abuse sc2_conn_rate gt 3
# abuse is marked in the frontend so that it's shared between all sites
acl mark_as_abuser sc1_inc_gpc0 gt 0
#tcp-request content reject if conn_rate_abuse mark_as_abuser
use_backend ease-up if conn_rate_abuse mark_as_abuser
backend ease-up
mode http
errorfile 503 /usr/local/etc/503error_dos.html
Thanks for reading!
Joe
Idézet (Willy Tarreau <[email protected]>):
On Tue, Sep 14, 2010 at 11:39:05PM +0200, Jozsef R.Nagy wrote:
Hello guys,
Just been testing 1.5dev2 (and most recent snapshot as well) on freebsd,
evaluating it for its anti-dos capabilities.
The strange thing is..it starts up just fine, serves a few pages just
fine then it returns blank pages.
After a minute or so it will deliver a few pages again and then blank
again..this does happen with no limitation config (no dos protection) as
well.
Could you please send your config ? (you can send it to me privately
if you prefer). I suspect an uninitialized variable or something like
this, though I don't understand why it would only strike on FreeBSD.
Regards,
Willy
