Hi Patrick,
Where are you using the stick table and lua script call? Frontend or
backend?
Perhaps this would work:
* In the frontend, check the connection count from the "real backend"
stick table
* if the count is > 6, set ACL for the source
*Use this ACL to steer the conection to the "redirect backend" which will
call the lua script to sleep/redirect
In this way, redirected requests won't add to the backend count for the
stick table counting such things, because they go to a different backend
that doesn't actually talk to the resource you are protecting.
Best,
-Mark
On Wed, 28 Jun 2017 16:56:03 -0400, Patrick Hemmer
<hapr...@stormcloud9.net> wrote:
So as the subject indicates, I'm looking to limit concurrent connections
to a backend by the source IP. The behavior I'm trying for is that if
the client has more than 6 connections, we sit on >the request for a
second, and then send back a 302 redirect to the same resource that was
just requested.
I was able to accomplish this using a stick table for tracking
connection count, and a Lua script for doing the sleep ("sit on the
request" part), but it has a significant flaw. Once the >6 >connection
limit is hit, and we start redirecting with 302, the client can't leave
this state. When they come back in after the redirect, they'll still
have >6 connections, and will hit the rate limit >rule again.
We instead need a way to differentiate (count) connections held open and
sitting in the Lua delay function, and connections being processed by a
server.
I'd be open to other ways of accomplishing the end goal as well. We want
to use the 302 redirect so the rate limit is transparent to the client.
And we want the delay so that the client just >doesn't hammer haproxy
with request after request, and the browser report it as a redirect loop
(a brief delay will allow the existing connections to finish processing
so that after the 302, it >can be handled). And we're trying for a
per-client limit (as opposed to a simple "maxconn" setting and a FIFO
queue) to prevent a single client from monopolizing the backend resource.
-Patrick