Hi Dennis,
On Fri, Oct 21, 2016 at 09:09:39PM +0200, Dennis Jacobfeuerborn wrote:
> So after more experimenting I got things to work properly when I move
> the "limited_path" acl check from the "tcp-request content" directive to
> the "use-backend abuse-warning" directive which accomplishes the same
> thing with regards to the rate-limiting.
>
> My guess is that your suspicion was correct that this is some kind of
> "Layer 4 vs. Layer 7" problem with the path acl (Layer 7) being used in
> the tcp-request directive (Layer 4). I'm wondering if there is some
> other way to make this work since the inspect-delay apparently doesn't
> work in this case.
I'm pretty sure Chad's solution is the right one. However you need to have
a large enough inspect-delay (ideally as large as timeout http-request or
timeout client). The reason is that some browsers perform a pre-connect
and don't send anything for quite some time, thus your inspect-delay
expires and the rule never matches. Another way to avoid this is to reject
non-HTTP traffic first, which will cause idle connections to be terminated.
Eg:
tcp-request inspect-delay 10s
tcp-request content reject unless HTTP
tcp-request content ... your rules here ...
Willy
