On 22.10.2016 00:08, Willy Tarreau wrote: > Hi Dennis, > > On Fri, Oct 21, 2016 at 09:09:39PM +0200, Dennis Jacobfeuerborn wrote: >> So after more experimenting I got things to work properly when I move >> the "limited_path" acl check from the "tcp-request content" directive to >> the "use-backend abuse-warning" directive which accomplishes the same >> thing with regards to the rate-limiting. >> >> My guess is that your suspicion was correct that this is some kind of >> "Layer 4 vs. Layer 7" problem with the path acl (Layer 7) being used in >> the tcp-request directive (Layer 4). I'm wondering if there is some >> other way to make this work since the inspect-delay apparently doesn't >> work in this case. > > I'm pretty sure Chad's solution is the right one. However you need to have > a large enough inspect-delay (ideally as large as timeout http-request or > timeout client). The reason is that some browsers perform a pre-connect > and don't send anything for quite some time, thus your inspect-delay > expires and the rule never matches. Another way to avoid this is to reject > non-HTTP traffic first, which will cause idle connections to be terminated. > Eg: > tcp-request inspect-delay 10s > tcp-request content reject unless HTTP > tcp-request content ... your rules here ...
Hi Willy, thank you, I tried the inspect-delay again and this alone seems to fix things at least for the curl tests so Chad was indeed right but I might have forgotten to restart HAProxy when I tested this the first time. I'm still going to include the "reject unless HTTP" bit though but I'm wondering if this might have any negative side effects for regular traffic? Do browsers handle this rejection of their connections appropriately? Regards, Dennis
