On Wed, Sep 15, 2010 at 10:17:53AM +0200, R.Nagy József wrote:
> Thank you for the heads up,
>
> Managed to put it in a single listen block, and worked! Temporarily! ;(
> Was fine on testing environment, but after putting it into production,
> haproxy gone wild after 40mins, and then after 20mins in the next round.
> 'Wild' being it returner Error instead of serving up files from an
> other block (symptom being static files missing from site), not even
> the one being rate restricted, and a few mins later it completely
> 'died' not serving anything just seemingly loading endlessly.
>
> If you could let me know what debug to save or look at, I'd be happy to
> do so.
You should simply disable the anti-dos protection to check the difference.
Also, I can recommend you to enable the stats socket in the global config,
so that you can inspect your tables or even delete entries :
global
stats socket /var/run/haproxy.sock level admin
stats timeout 1d
Then from the command line :
$ socat readline /var/run/haproxy.sock
prompt
> show table
> show table mySite-webfarm
> clear table mySite-webfarm key 192.168.0.1
etc...
Also, I think that what you're experiencing is that your block levels
are too low and that once an IP is blocked, it remains blocked because
the user continues to try to access the site. Also, keep in mind that
the "use_backend" rules are processed last (I should add a warning to
remind about that when they're placed before tcp-request).
I would personally simplify your config like this (it does not need
to track two separate counters anymore) :
stick-table type ip size 1m expire 5m store gpc0,conn_rate(10s)
acl source_is_abuser src_get_gpc0 gt 0
tcp-request connection track-sc1 src if ! source_is_abuser
acl conn_rate_abuse sc1_conn_rate gt 30
acl mark_as_abuser sc1_inc_gpc0 gt 0
use_backend ease-up if source_is_abuser
use_backend ease-up if conn_rate_abuse mark_as_abuser
Regards,
Willy
