Hi all, if there is a bug report area please let me know.
I have been using HAproxy 1.4 for some time, wonderful program, very
reliable. I have come to need some features that exist in 1.5 dev, and
built the dev 11 release. In testing the following no longer functions as
it did in earlier dev releases like 10, 9 etc:
frontend TEST
bind 192.168.0.115:8081
default_backend TEST
option forwardfor
log global
option httplog clf
# vulnerability scann protection
stick-table type ip size 1m expire 10s store gpc0,http_err_rate(10s)
tcp-request connection track-sc1 src
tcp-request connection reject if { src_get_gpc0 gt 0 }
backend TEST
enabled
balance roundrobin
# If the source IP generated 10 or more http request over the
defined period,
# flag the IP as abuser on the frontend
acl abuse src_http_err_rate(TEST) ge 10
acl flag_abuser src_inc_gpc0(TEST)
tcp-request content reject if abuse flag_abuser
server qa1 192.168.0.113:80 weight 1 maxconn 5000 check
server qa2 192.168.0.114:80 weight 1 maxconn 5000 check
I may have narrowed down to the patch I think introduced the problem :
haproxy.1wt.eu/git?p=haproxy.git;a=commitdiff;h=496aa0111ee22d0deb8ca0c30c85503011219f05
Unfortunately without devoting a lot of time to understanding the code I
have reached my limits of debugging. It seems acls like the above has
broken as a result of the patch. The exact failure is that it simple does
not count the http_error_rate at all - the gpc counter is not changed as
loads of 404 errors are returned to a client for example.
Note I have not gone back and double checked the exact patch that
introduced the problem.. But at least this example config is enough to
illustrate the problem in dev 11
Cheers
