Re: Rate limit URL or src IP

Tue, 02 Apr 2013 03:04:34 -0700 

Hi Baptiste,
Thank you for your answer but I probably wasn't clear enough on my problem ;-) 


The problem is that the stick table in the example only stores IPv4 or 
IPv6 not both. But I need to rate-limit both IPv4 and IPv6.


Just a copy and paste of the setup:

frontend cluster1-in
 bind x.x.x.x:80
 bind 2001:xxx:xxx::xx:80

 <...some settings...>


 tcp-request connection accept if { src -f 
/etc/haproxy/whitelist-ipv4.txt }
 tcp-request connection accept if { src -f 
/etc/haproxy/whitelist-ipv6.txt }

 stick-table type ip size 1m expire 60m store gpc0,http_req_rate(10m)
 tcp-request connection track-sc1 src
 tcp-request connection reject if { src_get_gpc0 gt 0 }

 acl ratelimit hds_sub(host) -i somedomain.com

 use_backend pipo if ratelimit
 default_backend foo

backend pipo
 <... some settings...>
 acl abuse src_http_req_rate(cluster1-in) ge 600
 acl flag_abuser src_inc_gpc0(cluster1-in)
 tcp-request content reject if abuse flag_abuser
 <... some more settings...>

This way IPv6 addresses are ignored.

Greets,

Sander



On 02.04.2013 11:24, Baptiste wrote:

Hi,

With latest HAProxy version, it will apply configuration to IPv4 or
IPv6 independently.

Just add an IPv6 bind to your HAProxy setup and you're done.

no IPv6 to configure on your servers, since HAProxy will act as a 6to4 
gateway:

http://blog.exceliance.fr/2011/06/14/layer-7-ipv6-configuration/ [2]

Baptiste


On Tue, Apr 2, 2013 at 10:11 AM, Sander Klein <[email protected]> 
wrote:



Hi All,


I know this question has been asked more times, but currently I'm 
experiencing some problems with some people harvesting data from our 
websites at high rates. I would like to block them based on the URL or 
simply on src IP.



Currently I've implemented the 'Limiting the HTTP request rate' setup 
from 
http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ 
[1] which works nice, but now they also start coming in with IPv6. 
Can I modify this setup to also work with IPv6 without creating 
multiple frontends or backends?


Greets,

Sander




Links:
------
[1]
http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
[2] http://blog.exceliance.fr/2011/06/14/layer-7-ipv6-configuration/
























					Reply via email to