On Wed, Sep 15, 2010 at 07:17:32AM +0200, R.Nagy József wrote:
> My bad, most likely.
> After killing haproxy process completely -instead of just config
> reloads-, and restarting it, problem can't be reproduced anymore
> without rate limiting config.
OK, thanks for this clarification.
> So most likely it was simply rejecting the request where it seemed to
> be serving 'random' blank pages due to config not being reloaded
> properly.
indeed.
> Number of denied reqs in the stats is 0 all along though. Bug?
No it's expected if you drop at the connection level. Only sessions
are accounted right now in the stats. A session is defined as a
connection that has been accepted. The difference is important for
analyzing what causes the drops. More counters should be added, but
there will probably be some more general work on the stats first.
> Let me mod the question then though:
> All I'm trying to achieve is a simple rate limiting config against
> (d)dos attacks.
> Need to:
> - Serve custom 503 page when client is banned (never give blank page)
> - Ban with over 30reqs/10secs, temp ban for 10mins then
>
> Based on "better rate limiting" and docs, I came up with the config
> below, but problem is, the rate limiting does not take place with
> "use_backend ease-up if conn_rate_abuse mark_as_abuser" in the
> backend, while it does _reject_ the page if I use "tcp-request content
> reject if conn_rate_abuse mark_as_abuser" in there (but I need custom
> 503 as stated above).
In my opinion your config is OK for this and I see no reason why it
should not work (however you have "src_get_gpc0(http)" instead of
naming the correct frontend, but I assume that's because you renamed
the frontend before sending the conf).
> By the way: to achieve this with as simple config as possible, could 2
> stick-tables config be put under a single listen block (don't need
> separate frontend/backend blocks for anything but this)?
Yes, you could even have the same stick-table for this and store two
different data. The fact that the Stackoverflow's config makes use of
two stick tables is because they wanted to measure the request only
on some backends.
If you want to store both gpc0 and conn_rate over 10 seconds, simply
declare it this way :
stick-table type ip size 200k expire 10m store gpc0,conn_rate(10s)
Regards,
Willy
---
> So the config is as follows:
> global
> log 127.0.0.1 daemon debug
> maxconn 1024
> chroot /var/chroot/haproxy
> uid 99
> gid 99
> daemon
> quiet
> pidfile /var/run/haproxy-private2.pid
>
> defaults
> log global
> mode http
> option httplog
> option dontlognull
> option redispatch
> retries 3
> maxconn 3000
> contimeout 4000
> clitimeout 1000
> srvtimeout 200000
> stats enable
> stats scope MyHost-webfarm
> stats uri /secretadmin?stats
> stats realm Haproxy\ Statistics
> stats auth user:pass
>
>
> frontend MyHost-webfarm 82.136.111.111:8011
> option forwardfor
> default_backend works
>
> contimeout 6000
> clitimeout 2000
>
> errorfile 503 /usr/local/etc/503error.html
>
> ### (d)dos protection ###
>
> # check master 'banned' table first
> stick-table type ip size 200k expire 10m store gpc0
>
> acl source_is_abuser src_get_gpc0(http) gt 0
> use_backend ease-up if source_is_abuser
> tcp-request connection track-sc1 src if ! source_is_abuser
>
>
> backend works
> option httpchk /!healthcheck.php
> option httpclose
>
> balance roundrobin
> server myserv1 192.168.0.4:80 check inter 5000 rise 2 fall 3
> server myserv2 192.168.0.3:80 check inter 5000 rise 2 fall 3
>
> stick-table type ip size 200k expire 1m store conn_rate(10s)
>
> # values below are specific to the backend
> tcp-request content track-sc2 src
> acl conn_rate_abuse sc2_conn_rate gt 3
>
> # abuse is marked in the frontend so that it's shared between all
> sites
> acl mark_as_abuser sc1_inc_gpc0 gt 0
>
> #tcp-request content reject if conn_rate_abuse mark_as_abuser
> use_backend ease-up if conn_rate_abuse mark_as_abuser
>
>
> backend ease-up
> mode http
> errorfile 503 /usr/local/etc/503error_dos.html
>
>
>
> Thanks for reading!
> Joe
>
> Idézet (Willy Tarreau <w...@1wt.eu>):
>
> >On Tue, Sep 14, 2010 at 11:39:05PM +0200, Jozsef R.Nagy wrote:
> >>Hello guys,
> >>
> >>Just been testing 1.5dev2 (and most recent snapshot as well) on freebsd,
> >>evaluating it for its anti-dos capabilities.
> >>The strange thing is..it starts up just fine, serves a few pages just
> >>fine then it returns blank pages.
> >>After a minute or so it will deliver a few pages again and then blank
> >>again..this does happen with no limitation config (no dos protection) as
> >>well.
> >
> >Could you please send your config ? (you can send it to me privately
> >if you prefer). I suspect an uninitialized variable or something like
> >this, though I don't understand why it would only strike on FreeBSD.
> >
> >Regards,
> >Willy
> >
> >
> >
>
>
>
