Hi, On Thu, Feb 02, Ricardo Fraile wrote: > Taking as starting point the following rate limit sticky table, in which > the requests are tracked by the "X-Client-IP" header and have an acl to > limit if there are more than 250 in 1 second: > > stick-table type ip size 1m expire 1h store gpc0,http_req_rate(1s) > http-request track-sc0 req.hdr_ip(X-Client-IP,1) > > acl rule_average sc0_http_req_rate gt 250 > > http-request deny if rule_average > > With this configuration, a user is blocked if have more than 250 request > in a second. For example, at the same time, 192.168.1.1 can have 250 > requests and 192.168.1.2 an other 250 requests. > > But is it possible to apply this limit behaviour taking into account the > subnet?, for example, if the load balancer receive more than 250 request > from the 192.168.1.0/24, limit each particular IP, for example, at the > same time, 192.168.1.1 can have 100 and 192.168.1.2 the other 150, but > not more than 250 together.
ipmask (https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.1-ipmask) might work. So something like: http-request track-sc0 req.hdr_ip(X-Client-IP,1),ipmask(24) -Jarno -- Jarno Huuskonen
