Re: Looking for a way to limit simultaneous connections per IP

Wed, 28 Jun 2017 14:41:48 -0700 

Hi Patrick,
Where are you using the stick table and lua script call? Frontend or backend? 

Perhaps this would work:


* In the frontend, check the connection count from the "real backend"  
stick table

* if the count is > 6, set ACL for the source

*Use this ACL to steer the conection to the "redirect backend" which will  
call the lua script to sleep/redirect



In this way, redirected requests won't add to the backend count for the  
stick table counting such things, because they go to a different backend  
that doesn't actually talk to the resource you are protecting.


Best,
-Mark


On Wed, 28 Jun 2017 16:56:03 -0400, Patrick Hemmer  
<hapr...@stormcloud9.net> wrote:



So as the subject indicates, I'm looking to limit concurrent connections  
to a backend by the source IP. The behavior I'm trying for is that if  
the client has more than 6 connections, we sit on >the request for a  
second, and then send back a 302 redirect to the same resource that was  
just requested.



I was able to accomplish this using a stick table for tracking  
connection count, and a Lua script for doing the sleep ("sit on the  
request" part), but it has a significant flaw. Once the >6 >connection  
limit is hit, and we start redirecting with 302, the client can't leave  
this state. When they come back in after the redirect, they'll still  
have >6 connections, and will hit the rate limit >rule again.



We instead need a way to differentiate (count) connections held open and  
sitting in the Lua delay function, and connections being processed by a  
server.



I'd be open to other ways of accomplishing the end goal as well. We want  
to use the 302 redirect so the rate limit is transparent to the client.  
And we want the delay so that the client just >doesn't hammer haproxy  
with request after request, and the browser report it as a redirect loop  
(a brief delay will allow the existing connections to finish processing  
so that after the 302, it >can be handled). And we're trying for a  
per-client limit (as opposed to a simple "maxconn" setting and a FIFO  
queue) to prevent a single client from monopolizing the backend resource.


-Patrick





















					Reply via email to