I tried
acl allowed sc2_conn_cur lt 2
block unless allowed
it blocked every access :(
Klavs Klavsen wrote on 03/24/2015 01:19 PM:
Can I perhaps do something like:
tcp-request content track-sc2 hdr(X-Forwarded-For)
acl conn_limit_hit sc2_conn_cur gt 2
?
Klavs Klavsen wrote on 03/24/2015 01:11 PM:
Hi,
We would like to limit how many connections a given IP can send to our
backend.
Our setup is like this:
haproxy -> varnish -> haproxy -> webservers
and we'd like to have the frontend behind varnish (we call it nocache :)
limit concurrent connections any IP can have.. (to 1 or 2 is the idea)..
I've googled and read.. and it seems stick-table should be used..
My current setup looks something like this (based/stolen from
http://fotoarkiv.com/wordpress/limiting-the-number-of-active-users-on-a-site-using-haproxy/
):
frontend nocache
..
#create a stick-table of 30 IPs for storing active IPs, 5 minute timeout
stick-table type ip size 30 expire 5m store gpc0
#populate the table with the X-Forwarded-For header
stick store-request hdr(X-Forwarded-For)
#allow new users if we have more than 1 available slot in the stick table
acl allowed table_avl(nocache) gt 1
#if not allowed above, go away
block unless allowed
but it looks for "available slots in stick-table".. I'd like to simply
block if the ip already has more than 2 connections..
I figured I could use src_conn_cnt.. but I need it to use the ip in
X-Forwarded-For..
How can I do that?
Thank you in advance
--
Regards,
Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
