Hi Baptiste,
Thanks that fixes my issue indeed with the following:
tcp-request inspect-delay 10s
tcp-request content track-sc1 base32+src if METH_GET wp_login
tcp-request content accept if HTTP
I didn't think about inspect-delay because both frontend and backend are
using 'mode http', and i only used to use inspect-delay with frontends
using tcp mode. Though maybe the 'tcp-request' should have given my that
hint. The 'accept' must be below the 'track-sc1' to make it work.
Could you perhaps also add this to the blog article, or should i post a
comment under it for other people to not fall into the same mistake?
Thanks,
PiBa-NL
Baptiste schreef op 7-9-2014 11:38:
On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL <[email protected]> wrote:
Hi list,
Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to
use this same kind of method in a frontend/backend configuration.
I did change the method from POST to GET, for easier testing, but that
doesn't matter for retrieving the gpc counter, does it?
So i was trying to use this:
tcp-request content track-sc1 base32+src if METH_GET login
It however doesn't seem to work using HAProxy 1.5.3, the acl containing
"sc1_get_gpc0 gt 0" never seems to get the correct gpc0 value, even though i
have examined the stick-table and the gpc0 value there is increasing.
If i change it to the following it starts working:
tcp-request content track-sc1 base32+src
Even though the use_backend in both cases checks those first criteria:
acl flagged_as_abuser sc1_get_gpc0 gt 0
use_backend pb3_453_http if METH_GET wp_login flagged_as_abuser
Am i doing something wrong, is the blog outdated, or was a bug introduced
somewhere?
If more information perhaps -vv or full config is needed let me know,
thanks for any reply.
p.s. did anyone get my other emails a while back? [1]
Kind regards,
PiBa-NL
[0]
http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/
[1] http://marc.info/?l=haproxy&m=140821298806125&w=2
Hi,
Plese let us know if you have the following configuration lines (or
equivalent), before your tracking rule:
tcp-request inspect-delay 10s
tcp-request accept if HTTP
Baptiste
