2015-07-22 9:41 GMT+02:00 Baptiste <[email protected]>: > On Mon, Jul 20, 2015 at 8:19 PM, [email protected] <[email protected]> wrote: >> 2015-07-13 18:07 GMT+02:00 [email protected] <[email protected]>: >>> Hi, >>> >>> i'm using stick-tables to track requests and block abusers if needed. >>> Abusers should be blocked only for a short period of time and i want a >>> stick-table entry to expire. >>> >>> Therefore, i have to check if the client is already marked as an >>> abuser and do not track this client. >>> >>> >>> example config: >>> >>> >>> frontend fe_http_in >>> >>> bind 127.0.0.1:8001 >>> >>> stick-table type ip size 100k expire 600s store gpc0 >>> >>> # Not working >>> # acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0 >>> >>> # Working >>> # acl is_overlimit src_get_gpc0(fe_http_in) gt 0 >>> >>> tcp-request connection track-sc0 src if !is_overlimit >>> >>> default_backend be >>> >>> >>> backend be >>> >>> ... incrementing gpc0 ( with "sc0_inc_gpc0") ... >>> >>> >>> >>> If i use "sc0_get_gpc0", the stick-table entry will never expire >>> because the timer will be resetted (tcp-request connection track-sc0 >>> ... seems to ignore this acl). >>> >>> >>> With "src_get_gpc0" everything works as expected. >>> >>> >>> Both ACL's are correct and triggered (verified with debug headers >>> (http-response set-header ...)) >>> >>> >>> What's the difference between these ACL's in conjunction with >>> "tcp-request connection track-sc0 ..." ? >>> >>> Is this a bug or intended behaviour ? >>> >>> >>> ----------- >>> Bjoern >> >> >> >> Has anyone observed the same behaviour or knowing if this is the >> correct behaviour? >> >> >> >> ----------- >> Bjoern >> > > > Hi, > > This is not doable in 1.5. > In up coming 1.6, you can "copy" the data into a blacklist purpose > stick table with an expire argument, then use the "in_table" converter > to know if a request is blacklisted or not. > > When you use "sc0_*" function, you refresh the data in the table. > > Baptiste
Hi Baptiste, thanks you for answering. At the moment i'm testing 1.6 to bring it in production soon. Do you have an example config snippet for your suggestion? -------------- Bjoern
