Hi,
Le 18/07/2016 à 11:30, [email protected] a écrit :
Hello,
I have a sticky table for ip checks against high connection rate (for testing
purposes it's set now to 3 connections in 10 seconds):
frontend lb-useast
...
tcp-request content track-sc0 src
stick-table type ip size 500k expire 30s store
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s)
http-request add-header X-Haproxy-ACL
%[req.fhdr(X-Haproxy-ACL,-1)]over-3-connections-in-10-seconds, if {
src_conn_rate gt 3 }
...
default_backend logger
backend logger
server localhost localhost:55555 send-proxy
frontend logger
...
acl whitelisted req.fhdr(X-Haproxy-ACL) -m beg whitelisted,
acl fail-validation req.fhdr(X-Haproxy-ACL) -m found
http-request deny if !whitelisted fail-validation
...
When I run 3 curl requests in a row, the table shows there were 5 connections
with 1 failed:
# echo "show table lb-useast" | socat - unix:/var/lib/haproxy/stats
# table: lb-useast, type: ip, size:512000, used:1
0x24b3628: key=x.y.222.4 use=0 exp=26100 conn_rate(10000)=5 conn_cur=0
http_req_rate(10000)=3 http_err_rate(10000)=1
After doing some tests, indeed, it appears that with mode http and a
frontend/backend, conn_rate counters are incremented twice (before and
after).
The curl command is pretty straightforward:
for ((i=1;i<=3;i++)); do curl -s http://uat.my.com/privacy.html > /dev/null;
echo $i; done
With this loop, conn_rate will be 1, then 3, then 5.
I couldn't spend more time on the issue and won't have much time for it
next days, but you can try a workaround, by replacing tcp-request
content with tcp-request connection :
tcp-request connection track-sc0 src
How does haproxy count connections, so it gets 5 instead of 3?
PS haproxy version is 1.5.4
--
Cyril Bonté
