On Mon, Aug 4, 2014 at 2:56 PM, Zbyněk Vymazal <[email protected]> wrote: > Thanks Jarno, > > That worked for me! > > Regards, > > Zbynek > > On 04 Aug 2014, at 08:53, Jarno Huuskonen <[email protected]> wrote: > >> Hi, >> >> On Fri, Aug 01, Zbyněk Vymazal wrote: >>> Hello, >>> >>> I'd like to ask for an advice how return custom HTTP error code when rate >>> limit rule is triggered. I have sort of followed the configuration >>> described here: >>> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ >>> (Limiting the HTTP request rate) with some modifications and the rate >>> limiting works as required. >>> >>> I'd like to ask if there is a way how to return 429 error instead of 403 as >>> it returned now with the rule http-request deny ? >>> >>> The interesting part of config file looks like this: >>> >>> frontend: >>> >>> stick-table type ip size 10k expire 30s store gpc0 >>> >>> # Refuse a new connection from an abuser >>> tcp-request connection reject if { sc0_get_gpc0 gt 0 } >>> >>> # Return a 403 for requests in an established connection >>> http-request deny if { sc0_get_gpc0 gt 0 } >>> >> >> You might be able to (ab)use backend / error file to return 429 >> error: >> frontend: >> ... >> use_backend BE_429 if { sc0_get_gpc0 gt 0 } >> >> backend BE_429 >> errorfile 503 /path/to/errors/429.html >> # no servers etc. in this backend >> >> and in 429.html >> HTTP/1.1 429 Too Many Requests >> Cache-Control: no-cache >> Content-Length: xyz >> Content-Type: text/html; charset=iso-8859-1 >> Connection: close >> >> and your html error message (or Content-Length: 0 and no html error >> msg). >> >> -Jarno >> >>> backend: >>> >>> stick-table type ip size 10k expire 30s store http_req_rate(10s) >>> >>> # Parse X-Forwarded-For header and add source IP to the sticky tables for >>> request rate control >>> tcp-request content track-sc0 hdr_ip(X-Forwarded-For,1) table ft_web >>> tcp-request content track-sc1 hdr_ip(X-Forwarded-For,1) table bk_web >>> >>> # If the source IP sent 50 or more http requests over the defined period >>> flag the IP as an abuser >>> acl abuse sc1_http_req_rate gt 50 >>> acl flag_abuser sc0_inc_gpc0(ft_web) gt 0 >>> >>> # Return a 403 to the abuser >>> http-request deny if abuse flag_abuser >>> >>> Thanks for help. >>> >>> Kind Regards, >>> >>> Zbynek >> >> -- >> Jarno Huuskonen > >
Or simply errorfile 403 /path/to/errors/429.html (with same content for 429.html) into the backend where you do the "http-request deny" rule. Baptiste
