Hi, In both cases, what does the log lines says about the backend used?
I thought it could be related to the functions available depending on the network level. I mean that the acl path* are layer 7 functions while the tcp-request content is layer 4 only. When you enable the acl you moved up to layer 7, then the layer 4 functions are not available anymore or the result is undeterminated. But if this flow is correct: http://haproxy.1wt.eu/download/1.3/doc/acl.pdf then it may be a bug. Only Willy could answer accurately on this question, but he is a bit busy this last days. cheers On Fri, Feb 17, 2012 at 11:29 PM, <[email protected]> wrote: > Reading up on 2 blog posts regarding DDOS protection via haproxy stick-tables > > http://blog.serverfault.com/2010/08/26/1016491873/ > http://blog.exceliance.fr/2011/08/25/protect-apache-against-apache-killer-script/ > > Problem > i tried testing this on my local test server with haproxy v1.5 dev7. But it > seems if I have an acl rule in place path_beg /forum/images/ and /images/ it > bypasses the stick-tables completely. It doesn't seem to matter if the acl > rule is placed before or after the stick-table entry on the frontend www. > > If I remove the acl rule for path_beg, then stick-table works ! > > the acl path_beg rule i have is these 3 lines in frontend www > > acl imagepath path_beg /images/ > acl imagepathforums path_beg /forums/images/ > use_backend imagepath_backend if imagepath or imagepathforums > > Problem explained > 1. If these acl path_beg rules are enabled then phpinfo.php gets rate limited > with 503 status error but i.png allows full unrestricted connection speed to > server bypassing the stick-table completely. > > 2. If I remove the path_beg 3 lines outlined above from haproxy config file, > then both siege tests urls for phpinfo.php and i.png I test against DO NOT > allow full unrestricted connection to server and are properly rate limited > with 503 status error. > > siege -b -c 100 -r 100 http://192.168.56.120/phpinfo.php > siege -b -c 100 -r 100 http://192.168.56.120/forums/images/i.png > > So why does the acl path_beg rule bypass the stick-table ? > > Config > full frontend www looks like this > > ############## > # front end options > frontend www > mode http > bind *:80 > default_backend www_backend > option contstats > acl spiderbots hdr_sub(user-agent) -i -f /etc/haproxy/spiderbotlist.lst > use_backend spider_backend if spiderbots > > ### Setup stick table ### > stick-table type ip size 10k expire 60s store gpc0 > # Configure the DoS src > acl MARKED src_get_gpc0(www) gt 0 > # tarpit attackers if src_DoS > use_backend backend_tarpit if MARKED > # If not blocked, track the connection > tcp-request connection track-sc1 src if ! MARKED > ### Setup stick table ### > > acl imagepath path_beg /images/ > acl imagepathforums path_beg /forums/images/ > use_backend imagepath_backend if imagepath or imagepathforums > > the backend looks like this > > ############## > # backend options > backend www_backend > mode http > balance roundrobin # Load Balancing algorithm > cookie SERVERID insert indirect nocache > option httpchk OPTION /health_check.php > option forwardfor # This sets X-Forwarded-For > > ### Setup stick table ### > # Table to track connection rate > stick-table type ip size 10k expire 60s store > conn_rate(5s),bytes_out_rate(5s) > # Track request > tcp-request content track-sc2 src > # Mark as abuser if more than 10 connection > acl ABUSER sc2_conn_rate gt 10 > acl DATARATE_ABUSER sc2_bytes_out_rate gt 200 > acl MARKED_AS_ABUSER sc1_inc_gpc0 gt 0 > # Block connection concidered as abuser > tcp-request content reject if ABUSER DATARATE_ABUSER MARKED_AS_ABUSER > ### Setup stick table ### > > ## Define your servers to balance > server server1 192.168.56.101:80 weight 1 maxconn 4096 cookie svr1 > check > server server2 192.168.56.120:82 weight 1 maxconn 4096 cookie svr2 > check > > backend spider_backend > mode http > balance roundrobin > cookie SERVERID insert indirect nocache > option httpchk OPTION /health_check.php > option forwardfor > acl too_fast be_sess_rate gt 10 > acl too_many be_conn gt 10 > tcp-request inspect-delay 3000ms > tcp-request content accept if ! too_fast or ! too_many > tcp-request content accept if WAIT_END > server server1 192.168.56.101:80 weight 1 minconn 1 maxconn 10 cookie > svr1bot check > server server2 192.168.56.120:82 weight 1 minconn 1 maxconn 10 cookie > svr2bot check > > backend imagepath_backend > mode http > balance roundrobin > cookie SERVERID insert indirect nocache > option httpchk OPTION /health_check.php > option forwardfor > > ### Setup stick table ### > # Table to track connection rate > stick-table type ip size 10k expire 60s store > conn_rate(5s),bytes_out_rate(5s) > # Track request > tcp-request content track-sc2 src > # Mark as abuser if more than 10 connection > acl ABUSER sc2_conn_rate gt 10 > acl DATARATE_ABUSER sc2_bytes_out_rate gt 200 > acl MARKED_AS_ABUSER sc1_inc_gpc0 > # Block connection concidered as abuser > tcp-request content reject if ABUSER DATARATE_ABUSER MARKED_AS_ABUSER > ### Setup stick table ### > > server server1 192.168.56.101:80 weight 1 maxconn 500 cookie svr1 check > server server2 192.168.56.120:82 weight 1 maxconn 500 cookie svr2 check > > backend backend_tarpit > mode http > # hold the connection for 10s before answering > timeout tarpit 10s > # Emulate a 503 error > errorfile 500 /etc/haproxy/503.html > # slowdown any request coming up to here > reqitarpit . > > --- > posted at http://www.serverphorums.com > http://www.serverphorums.com/read.php?10,447870,447870#msg-447870 >
