I am in the same fix. No matter what we try, the data to address is the real laptop/desktop/cellphone/server count. That count is skewed as soon as there are a hundred laptops/desktops behind a router.
Best I heard is from Willy himself, suggestion to use base32+src. At the cost of losing plain text and having a binary to use in acl but works for now. Grateful to have HAProxy in the first place. Regards, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Long Wu Yuan 龙 武 缘 Sr. Linux Engineer 高级工程师 ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space 1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室 24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946 We are hiring! http://careers.chinanetcloud.com | Customer Portal - https://customer-portal.service.chinanetcloud.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Tue, Jan 27, 2015 at 1:57 AM, CJ Ess <zxcvbn4...@gmail.com> wrote: > I am upgrading my environment from haproxy 1.3/1.4 to haproxy 1.5 but as > of yet am not using any of the newer features. > > I'm intrigued with using the stick table facilities in haproxy 1.5 to help > mitigate the impact of malicious users and that seems to be a common goal - > however I haven't seen any discussion about large groups of users behind > NATs and firewalls (businesses, universities, mobile, etc.) Has anyone > found a happy median between these two concerns? Aside from white listing > and the blocks aging out over time. > > One thought I had, in a virtual hosting environment, was to use a stick > table to track the number of requests by Host header, and direct requests > to a different backend (with dedicated resources) once requests for a > particular vhost crosses a threshold - and rejoin the common pool once the > traffic dies down. Has anyone been successful with a similar setup? > > >