On Wed, Dec 2, 2015 at 7:01 PM, John Pingel <jake.pin...@gmail.com> wrote: > Willy, Thierry, and all: > > My employer uses an external service provider that requires that we do not > over use their services. So, I need to use HAProxy to help throttle/limit > the max number of user connections per day (i.e. 2000 JSP page views/day for > all internal users at my employer) from inside my employer’s network out to > the service provider’s specific destination URL RegExs. This seems to be > the reverse of how HAProxy is normaly setup to protect a company’s services > from abusive outside connections! > > So we are considering setting up one or two HAProxy servers in the following > way: > > Any user in user in my employer’s network > > |=> > > our DNS [setup pointer entries in DNS for the > following to all point to related virtual hosts on HAProxy: > > some.service1.provider.com > > some.service2.provider.com > > some.service3.provider.com > > |=> > > our HAProxy server(s) [that > throttle connection rate to given URL RegExs] > |=> > Our backend Apache httpd server(s) > [that has virtual hosts which redirects to real IPs of > some.service*.provider.com] > > |=> > > Our corporate FireWall [will only allow connections to real IP addresses of > > some.service*.provider.comfrom our HAProxy server(s)] > > I do have a Linux Sys Admin resource offshore that has setup HAProxy at > other companies using its “out-of-the-box” configuration options. However; > we both are not sure whether HAProxy server’s “out-of-the-box” configuration > options will support our requirements for throttling/limiting all outgoing > connections to our external service provider’s destination URL RegExs for > their JSP page views (i.e. 2000 JSP page views/day for all internal users at > my employer): > > Example destination URL RegExes: > > “https://some.service1.provider.com/*/*.jsp*” > > “https://some.service2.provider.com/*/*.jsp*” > > “https://some.service3.provider.com/*/*.jsp*” > > The documentation for HAProxy 1.6 configuration seems like it can easily > track the counts and rates of successful connections from individual user > (i.e. source) IP addresses to specified destination URL RegExes; however, I > don’t see how HAProxy server can be configured to track the successful > connections from ALL internal users inside my employer’s network out to the > destination URL RegExs! > > So, Is there a way of tracking all of these successful connections to the > specified destination URL RegExs in some sort of HAProxy global value table? > And, can each of those global counters be automatically and safely: > > · Used in an ACL/condition that prevents new connections from being > made to the specified URL RegEx if it exceeds some count threshold? > > · incremented when any user makes a successful connection to a > specific URL RegEx? > > · reset to zero at midnight (either in some sort of HAProxy > configuration expression OR using some external cron job and shell script)? > > If the above requirements cannot be easily be implemented with HAProxy’s > “out-of-the-box” configuration options, can these requirements be > implemented using Lua-based extentions for HAProxy? If these requirements > can easily be done with Lua-based extensions, how do you recommend that we > implement it? > > Thanks for any help! > John Pingel > Email: jake.pin...@gmail.com
Hi, Yes you can. You have to configure your partner as a backend and pick up examples from this blog article: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ I may write a dedicated article to request throttling soon :) Baptiste
