Hi Klavs,
Please give a try to the configuration below:
frontend nocache
mode http
..
option httplog
option accept-invalid-http-request
stick-table type ip size 100k expire 30s store conn_cur
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
tcp-request content track-sc1 hdr(X-Forwarded-For)
tcp-request content reject if { sc1_conn_cur ge 10 }
'tcp-request connection' is executed when the connection has just
arrived into HAProxy. So the header X-Forwarded-For might not yet be
read already.
the conf above uses the 'tcp-request content' instead, and to be sure
we'll find the header, I've added the inspect delay which accept the
request once the buffer is confirmed to contain HTTP.
Baptiste
On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen <[email protected]> wrote:
> Back from easter vacation :)
>
> Baptiste wrote on 03/25/2015 10:30 AM:
>>
>> Hi,
>>
>> some useful examples can be taken from this blog post:
>>
>> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
>>
>> Just replace src by hdr(X-Forwarded-For).
>>
>
> Tried:
>
> frontend nocache
> mode http
> ..
> option httplog
> option accept-invalid-http-request
> stick-table type ip size 100k expire 30s store conn_cur
> tcp-request connection reject if { src_conn_cur ge 10 }
> tcp-request connection track-sc1 hdr(X-Forwarded-For)
> ..
>
> but haproxy complains:
> 'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)'
> extracts information from 'HTTP request headers,HTTP response headers', none
> of which is available here
>
> I took the example from
> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
>
> :(
>
>
> --
> Regards,
> Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200
>
> "Those who do not understand Unix are condemned to reinvent it, poorly."
> --Henry Spencer
>
>
