On Mon, Sep 02, 2013 at 09:27:26AM +0300, Toni Mattila wrote:
> Hi,
>
> On 2.9.2013 8:55, Willy Tarreau wrote:
> > backend web29
> > stick-table type ip size 50k expire 120m store
> > gpc0,http_req_rate(120s)
> > tcp-request content track-sc2 src if METH_POST
> > stick store-request src if METH_POST
> > acl bruteforce_detection sc2_http_req_rate gt 5
> > acl foo sc2_inc_gpc0 gt 0
> > http-request deny if foo bruteforce_detection
> > server web29 94.199.58.249:80 check
> >I think that with the fix above it will work. BTW, you don't need
> >the "stick store-request" statement, but I suspect you used it to
> >debug the issue.
>
> This works on backend side.. but how do I get that sc2_get_gpc0 working
> on frontend?
Then put it in the frontend.
> Idea is that I will have multiple backends but once one backend detects
> certain IP being over the limit it would be blocked already on the frontend.
OK but I'm having a hard time understanding exactly what you want to do.
Consider sc0, sc1, sc2 as independant pointers to up to 3 table entries.
Once any of them is tracked, it is tracked till the end of the session
(or the request when using http). So whatever you track in the frontend
is obviously available in the backend. Then all counters that are stored
are available.
So if what you're trying to do is to count the rate of POST requests and
block source IP addresses, then I think you'll need two different pointers,
just because you want to count one request only in case of POST which
explains why you have a track ... if ...
So what I could suggest :
- frontend : track/check source address
- backend : track/count POST requests
backend per-ip
stick-table type ip size 50k expire 120m store gpc0
frontend
tcp-request connection track-sc1 src table per-ip
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
...
use_backend foo...
backend foo
stick-table type ip size 50k expire 120m store http_req_rate(120s)
tcp-request content track-sc2 src if METH_POST
acl bruteforce_detection sc2_http_req_rate gt 5
acl block sc1_inc_gpc0 gt 0
http-request deny if bruteforce_detection block
You see, then the frontend enables tracking of the source address,
while the backend monitors the POST request rate for each backend
and flags the source address so that it can be checked in the frontend.
You could also decide that you use the same table for everything,
so that a source address sending many POST requests to different
sites will be detected as well :
backend per-ip
stick-table type ip size 50k expire 120m store gpc0,http_req_rate(120s)
frontend
tcp-request connection track-sc1 src table per-ip
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
...
use_backend foo...
backend foo
tcp-request content track-sc2 src table per-ip if METH_POST
acl bruteforce_detection sc2_http_req_rate gt 5
acl block sc1_inc_gpc0 gt 0
http-request deny if bruteforce_detection block
Hoping this helps,
Willy
