On Thu, Jan 15, 2015 at 10:41 PM, Jason J. W. Williams
<[email protected]> wrote:
> Hi,
>
> I'm converting an older listen configuration to a frontend/backend set
> up for SSL...would the following directives be better suited in the
> frontend or the backend section?
>
> # Persistently map clients to backends by client IP
> stick-table type ip size XX expire YY peers ZZ
> stick on src
>
> # Reject blacklisted IPs
> tcp-request connection reject if { src -f ABC }
>
> # Slow down abusive clients
> acl too_fast fe_sess_rate ge X
> tcp-request inspect-delay X
> tcp-request connection reject if { src_conn_cur ge X }
> tcp-request connection track-sc1 src
> tcp-request content accept if ! too_fast
> tcp-request content accept if WAIT_END
>
> Thank you in advance.
>
> -J
>
Hi Jason,
Anything related to persistence should go to the backend.
Anything related to accepting tcp connection should go in the frontend.
Here is what I would do:
backend bk_XXX
# Persistently map clients to backends by client IP
stick-table type ip size XX expire YY peers ZZ
stick on src
frontend fe_XXX
# Reject blacklisted IPs
tcp-request connection reject if { src -f ABC }
# Slow down abusive clients
acl too_fast fe_sess_rate ge X
tcp-request inspect-delay X
tcp-request connection reject if { src_conn_cur ge X }
tcp-request connection track-sc1 src table(bk_XXX)
tcp-request content accept if ! too_fast
tcp-request content accept if WAIT_END
Baptiste
