Hey Moemen, You are right I was indeed looking at the wrong counter and had not checked the socket output. I assumed it would be available in the stats page or in the metricbeat module which I use to track stats.
Thanks for pointing it out! On 4 April 2018 at 19:08, Moemen MHEDHBI <mmhed...@haproxy.com> wrote: > Hi Errikos, > > On 26/03/2018 13:03, Errikos Koen wrote: > > Hello, > > I have a frontend whitelisted by IP with the following rules: > > acl whitelist src -f /etc/haproxy/whitelist.lst > tcp-request connection reject unless whitelist > > and while documentation > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-request%20connection> > suggests > I would be able to see the rejected connections counted in stats (quote: they > are accounted separately for in the stats, as "denied connections"), > those are stuck at 0. > > The whitelist appears to be working ok, making a request from a non > whitelisted IP results in: > > $ curl -v http://hostname > * About to connect() to hostname port 80 (#0) > * Trying xxx.xxx.xxx.xxx... > * connected > * Connected to hostname (xxx.xxx.xxx.xxx) port 80 (#0) > > GET / HTTP/1.1 > > User-Agent: curl/7.26.0 > > Host: hostname > > Accept: */* > > > * additional stuff not fine transfer.c:1037: 0 0 > * Recv failure: Connection reset by peer > * Closing connection #0 > curl: (56) Recv failure: Connection reset by peer > > and whitelisted IPs work ok. > > I am running a self compiled haproxy 1.8.4 (with make options USE_PCRE=1 > TARGET=linux2628 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1) on Debian 8 with > 3.16.0-5-amd64 kernel. > > Any ideas? > > Thanks > -- > Errikos Koen, > Cloud Architect > www.pamediakopes.gr > > > It works for me using the same version and build options. > Maybe you are looking to the wrong counter. > The one in the stats page is about "denied requests" (this is about http > requests) while you should be looking for "denied connections", you can > find more about this here: https://cbonte.github.io/ > haproxy-dconv/1.8/management.html#9.1 > According to the doc, the "denied connections" is the 81th field (counting > from 0) so using the following command will help track the counter: > watch 'echo "show stat" | socat stdio < haproxy-socket-path > | cut -d > "," -f 1-2,82 | column -s, -t' > > ++ > > -- > Moemen MHEDHBI > > > -- Errikos Koen, Cloud Architect www.pamediakopes.gr
