Re: limiting conn-curs per-ip using x-forwarded-for

Klavs Klavsen Mon, 13 Apr 2015 23:50:57 -0700

Hi Baptiste,

Thank you very much for your help.


Unfortunately it didn't work.. I tried this:

frontend kms-ds-nocache
  bind x.x.x.x:80
  mode  http
  balance  roundrobin
  default_backend  kms-ds-backend
  option  httplog
  option  accept-invalid-http-request
  stick-table  type ip size 100k expire 30s store conn_cur
  tcp-request content accept  if HTTP
  tcp-request content reject  if { sc1_conn_cur ge 2 }
  tcp-request content track-sc1  hdr(X-Forwarded-For)
  tcp-request inspect-delay  5s

and I was still able to have 5 connections.. (I call a php script, usingcurl which sleeps for 40 seconds :)


Baptiste wrote on 04/09/2015 11:28 PM:

Hi Klavs,

Please give a try to the configuration below:
frontend nocache
   mode  http
..
   option  httplog
   option  accept-invalid-http-request
   stick-table  type ip size 100k expire 30s store conn_cur
   tcp-request inspect-delay 5s
   tcp-request content accept if HTTP
   tcp-request content track-sc1  hdr(X-Forwarded-For)
   tcp-request content reject  if { sc1_conn_cur ge 10 }

'tcp-request connection' is executed when the connection has just
arrived into HAProxy. So the header X-Forwarded-For might not yet be
read already.
the conf above uses the 'tcp-request content' instead, and to be sure
we'll find the header, I've added the inspect delay which accept the
request once the buffer is confirmed to contain HTTP.

Baptiste


On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen <[email protected]> wrote:

Back from easter vacation :)

Baptiste wrote on 03/25/2015 10:30 AM:


Hi,

some useful examples can be taken from this blog post:

http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/

Just replace src by hdr(X-Forwarded-For).


Tried:

frontend nocache
   mode  http
..
   option  httplog
   option  accept-invalid-http-request
   stick-table  type ip size 100k expire 30s store conn_cur
   tcp-request connection reject  if { src_conn_cur ge 10 }
   tcp-request connection track-sc1  hdr(X-Forwarded-For)
..

but haproxy complains:
'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)'
extracts information from 'HTTP request headers,HTTP response headers', none
of which is available here

I took the example from
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/

:(


--
Regards,
Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer



--
Regards,
Klavs Klavsen, GSEC - [email protected] - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer

Re: limiting conn-curs per-ip using x-forwarded-for

Reply via email to