Hello,

In reference to this URL -
http://blog.exceliance.fr/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/(Limiting
the connection rate per user)

It seems the ratelimiting has issues on version 1.5-dev18

My config looks something like this(modified ips, frontend names):

global
        log 127.0.0.1   local0
        maxconn 4096
        stats socket /etc/haproxy/haproxysock level admin
        chroot /usr/share/haproxy
        uid 99
        gid 99


defaults
        log     global
        mode    http
        retries 3
        option redispatch
        option forwardfor
        mode http
        option  httplog
        option httpclose
        maxconn 2000
        contimeout      30000
        clitimeout      50000
        timeout server 600s


        frontend test-web
        bind x.x.x.x:80
        bind x.x.x.x:443 ssl crt /etc/haproxy/certs/test.crt.pem


# Table definition
  stick-table type ip size 1m expire 600s store conn_rate(600s)

        # Shut the new connection as long as the client has already 10
opened
          tcp-request connection reject if { src_conn_rate ge 5 }
            tcp-request connection track-sc1 src


        acl block_hosts hdr_end(host) -i -f /etc/haproxy/blocked-hosts.txt
        block if block_hosts

# Https acl

        acl is-ssl dst_port 443
        reqadd X-Forwarded-Proto:\ https if is-ssl


        acl abc path_sub /abc
        use_backend test-abc if abc
        default_backend test-backend

        backend test-backend
        reqidel ^X-Forwarded-For:.*
        balance leastconn
        option httpchk GET /check.jsp HTTP/1.0
#        http-check expect string Success
        server obrs-tc-node1 x.x.x.x:8000 check inter 10000 rise 2 fall 6
maxconn 250
        server maint x.x.x.x:80 backup
        appsession JSESSIONID len 52 timeout 3h

        backend test-abc
        balance leastconn
        cookie SERVERID prefix
        option httpchk GET /ping.html HTTP/1.0
        server obkb-node1 x.x.x.x:80 cookie B1 check inter 10000 rise 2
fall 6 maxconn 250
        server maint x.x.x.x:80 backup


I can see the conn_rate go above 5 here, but ratelimit does not trigger. I
am still able to browse the url served by the frontend :

# table: test-web, type: ip, size:1048576,
used:1

0x198268c: key=x.x.x.x use=0 exp=592090 conn_rate(600000)=7


But when I use the same config (minus the ssl line) with version 1.5-dev7.
The ratelimting works as expected. Any help here is appreciated.

Thanks,

- Karthik Iyer

Reply via email to