Re: How to return 429 error code when limiting HTTP request rate

Mon, 04 Aug 2014 05:57:08 -0700 

Thanks Jarno,

That worked for me!

Regards,

Zbynek 

On 04 Aug 2014, at 08:53, Jarno Huuskonen <[email protected]> wrote:

> Hi,
> 
> On Fri, Aug 01, Zbyněk Vymazal wrote:
>> Hello,
>> 
>> I'd like to ask for an advice how return custom HTTP error code when rate 
>> limit rule is triggered. I have sort of followed the configuration described 
>> here: 
>> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
>>  (Limiting the HTTP request rate) with some modifications and the rate 
>> limiting works as required.
>> 
>> I'd like to ask if there is a way how to return 429 error instead of 403 as 
>> it returned now with the rule http-request deny ?
>> 
>> The interesting part of config file looks like this:
>> 
>> frontend:
>> 
>>  stick-table type ip size 10k expire 30s store gpc0
>> 
>>  # Refuse a new connection from an abuser
>>  tcp-request connection reject if { sc0_get_gpc0 gt 0 }
>> 
>>  # Return a 403 for requests in an established connection
>>  http-request deny if { sc0_get_gpc0 gt 0 }
>> 
> 
> You might be able to (ab)use backend / error file to return 429
> error:
> frontend:
> ...
>   use_backend BE_429 if { sc0_get_gpc0 gt 0 }
> 
> backend BE_429
>   errorfile 503 /path/to/errors/429.html
>   # no servers etc. in this backend
> 
> and in 429.html
> HTTP/1.1 429 Too Many Requests
> Cache-Control: no-cache
> Content-Length: xyz
> Content-Type: text/html; charset=iso-8859-1
> Connection: close
> 
> and your html error message (or Content-Length: 0 and no html error
> msg).
> 
> -Jarno
> 
>> backend:
>> 
>>  stick-table type ip size 10k expire 30s store http_req_rate(10s)
>> 
>>  # Parse X-Forwarded-For header and add source IP to the sticky tables for 
>> request rate control
>>  tcp-request content track-sc0 hdr_ip(X-Forwarded-For,1) table ft_web
>>  tcp-request content track-sc1 hdr_ip(X-Forwarded-For,1) table bk_web
>> 
>>  # If the source IP sent 50 or more http requests over the defined period 
>> flag the IP as an abuser
>>  acl abuse sc1_http_req_rate gt 50
>>  acl flag_abuser sc0_inc_gpc0(ft_web) gt 0
>> 
>>  # Return a 403 to the abuser
>>  http-request deny if abuse flag_abuser
>> 
>> Thanks for help.
>> 
>> Kind Regards,
>> 
>> Zbynek
> 
> -- 
> Jarno Huuskonen

Reply via email to