Hi,
I'm currently experimenting with rate limiting request and while this
sort-of works I see an issue where sometimes the stick-table that
contains the rate-limiting variables isn't update with every request
allowing multiple requests to succeed even if they shouldn't.
I attached the configuration I'm using which basically is supposed to
limit the number of requests to 1 per five seconds and if that limit is
reached the request is diverted to a separate backend that sends a 429
status telling the client to back off.
This works fine as long as the stick-table in the backend abuse-warning
is updated properly but when I use curl from the shell to get the path
/site1/limittest I don't see an entry added in the abuse-warning
stick-table. As long as that entry doesn't appear there i can issue
requests without being limited.
I noticed that the last line of the curl output says:
* Connection #0 to host 192.168.0.100 left intact
I'm wondering if this might have something to do with it. Maybe the
stick-table is only updated when the connection closes? Is there a way
to force the entry to be create immediately?
I'm using haproxy 1.6.9 on a Fedora 24 System.
Regards,
Dennis
frontend sites-front
bind-process 1
bind 192.168.0.100:84
acl limited_path path_beg -i /site1/limittest
acl source_is_abuser src_get_gpc0(abuse-warning) gt 0
tcp-request content track-sc1 src table abuse-warning if ! source_is_abuser
limited_path
use_backend abuse-warning if source_is_abuser
default_backend sites-back
backend sites-back
mode http
stick-table type ip size 100k expire 60s
stick on src
balance roundrobin
acl abuse src_http_req_rate(abuse-warning) ge 1
acl flag_abuser src_inc_gpc0(abuse-warning) --
tcp-request content reject if abuse flag_abuser
server site1 127.0.0.1:80
backend abuse-warning
mode http
stick-table type ip size 10k expire 5s store gpc0,http_req_rate(5s)
errorfile 503 /etc/haproxy/errorfiles/429rate.http
