Hi,
On Mon, Aug 12, 2013 at 04:45:42PM +0200, Ghislain wrote:
> Le 05/08/2013 10:44, Baptiste a écrit :
> >Hi Ghislain,
> >
> >To log such rejected connection please ensure you don't have the
> >"dontlognull" option enabled and you're rejecting connections using
> >the "tcp-request content" statement.
> >
> >Baptiste
>
>
> thanks for the hint ,i was using dontlognull so i just removed it and
> added the no option in the frontend
>
> I use a simple thing like this:
>
>
> frontend ft_https
> mode tcp
> no option dontlognull
> option tcplog
> bind 0.0.0.0:443
> stick-table type ip size 500k expire 30s store
> gpc0,http_req_rate(10s),conn_cur
> tcp-request connection track-sc1 src
> tcp-request connection reject if { src_get_gpc0 gt 0 } or {
> src_conn_cur ge 30 }
>
> default_backend bk_https
>
> backend bk_https
> mode tcp
> balance roundrobin
> acl abuse src_http_req_rate(ft_https) ge 200
> acl flag_abuser src_inc_gpc0(ft_https)
> tcp-request content reject if abuse flag_abuser
>
> i cannot have any log for rejects, the same version in http mode gives
> me log with the PR-- flag which is good as it indicate a reject because
> of a deny rule but in TCP mode i am unable to get any logging of the
> denied connections. I use a simple 'ab' call to stress it.
This is expected, you're rejecting at the earliest possible moment, where
no logs can be produced ("tcp-request connection"). If you want to get some
logs, reject a bit later, using "tcp-request content". Note that it works
when you're in http mode because your backend's tcp-request content rule
probably matches at a lower rate than the frontend's rule. This rule however
does not match in TCP mode since there's no HTTP request.
Regards,
Willy
