On Tue, Oct 18, 2011 at 6:39 PM, Cory Forsyth <cory.fors...@gmail.com> wrote: > Hi, my company would like to hire someone for a few hours' worth of > consulting time to help us gut-check our haproxy configuration and set > up. > > In particular, this is what we are trying to do: > > We are trying to limit connections to our server by IP address, but > over a given time window for each IP. If it has connected in the last > 5 minutes it is allowed to continue connecting, regardless of whether > the IP limit has been reached. > If it is a new IP, it is only allowed if the number of other IPs is > below the limit. So if an IP gets "in", as long as it continues to > connect at least once every 5 minutes it will always be allowed to > continue connecting. > > I have set something up to do this using a secondary process to check > the haproxy stick-table (via socat) for the number of entries (and the > entries are tracked by IP and expired after 5minutes), and if the > number of entries is greater than the limit this shuts down a Sinatra > ruby app that is configured as a backend in haproxy's config...and the > configured frontend has an ACL that checks whether that backend is > down when deciding if it can allow in a new IP. > > We'd like some expert eyes to look over this setup and suggest > alternatives or improvements, and also suggestions for how to load > test this setup to make sure it will work well at scale. > > thanks, > Cory > >
Hi Why don't you play with stick-table size, setting up to the limit of IP you want to allow on your frontend, the expire time and finally the nopurge option: stick-table ip size 1000 expire 5m nopurge stick on src With such definition, the table will store 1K source IP, for 5 minutes. Any IP older than 5 minutes would be dropped by Haproxy, releasing it for a new client. Or maybe I'm missing something. You can share with me (in private) your current HAProxy configuration and I'll have a look if you wish. cheers