On 21.10.2016 18:01, Chad Lavoie wrote: > Greetings, > > > On 10/21/2016 08:19 AM, Dennis Jacobfeuerborn wrote: >> Hi, >> I'm currently experimenting with rate limiting request and while this >> sort-of works I see an issue where sometimes the stick-table that >> contains the rate-limiting variables isn't update with every request >> allowing multiple requests to succeed even if they shouldn't. >> >> I attached the configuration I'm using which basically is supposed to >> limit the number of requests to 1 per five seconds and if that limit is >> reached the request is diverted to a separate backend that sends a 429 >> status telling the client to back off. >> >> This works fine as long as the stick-table in the backend abuse-warning >> is updated properly but when I use curl from the shell to get the path >> /site1/limittest I don't see an entry added in the abuse-warning >> stick-table. > > From your configuration example I think you need to add "tcp-request > inspect-delay 10s" to the frontend with the stick table. > HAProxy should print a warning about random matching and suggest that on > startup. It does indeed cause it to record some hits and not others > without it, and is quite hard to debug if the warning is missed.
So after more experimenting I got things to work properly when I move the "limited_path" acl check from the "tcp-request content" directive to the "use-backend abuse-warning" directive which accomplishes the same thing with regards to the rate-limiting. My guess is that your suspicion was correct that this is some kind of "Layer 4 vs. Layer 7" problem with the path acl (Layer 7) being used in the tcp-request directive (Layer 4). I'm wondering if there is some other way to make this work since the inspect-delay apparently doesn't work in this case. Regards, Dennis
