Yes, please reproduce with latest snapshot, and provide the output of haproxy -vv. Also, setup haproxy so it can generate a core.
Make sure you CC the list [email protected] when responding. Thanks, Lukas ________________________________ > Date: Fri, 3 May 2013 11:14:14 +0200 > Subject: Re: haproxy crashes with ddos mitigation config > From: [email protected] > To: [email protected] > > Below is my haproxy -vv : > > A-Proxy version 1.5-dev18 2013/04/03 > Copyright 2000-2013 Willy Tarreau <[email protected]<mailto:[email protected]>> > > Build options : > TARGET = linux2628 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing > OPTIONS = USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built without zlib support (USE_ZLIB not set) > Compression algorithms supported : identity > Built with OpenSSL version : OpenSSL 0.9.8o 01 Jun 2010 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > I'll try the snapshot > > --------------------------------------------------------------------------------------- > > > > Regarding the ddos mitigation config on non ssl frontend, it doesn't > seem to work properly. > My frontend config > ... > frontend public > bind 0.0.0.0:80<http://0.0.0.0:80> > > # # Table definition > stick-table type ip size 5m expire 30s store conn_cur > > # # Allow clean known IPs to bypass the filter > # tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst } > # # Shut the new connection as long as the client has already 10 opened > tcp-request connection reject if { src_conn_cur ge 10 } > tcp-request connection track-sc1 src > > mode http > log global > option httplog > timeout client 25s > maxconn 1000 > timeout http-request 80s > capture request header Host len 64 > capture request header Referer len 256 > capture request header User-Agent len 64 > ... > > > Then i open 10 connexions : > > ab -n 500000 -c 10 http://127.0.0.1:80/ > > I open another connexion with a telnet and i'm able to open it. > > watch 'echo "show table services" | socat unix:./haproxy.stats -' > 0xb5c6a4: key=127.0.0.1 use=11 exp=30000 conn_cur=11 > > Maybe i should open a new thread ? > > Regards, > Smana
