Hi,
Thank you for response, I would want to have rate-limiting on url no
matter what src ip is.
So one difference I noticed is :
http-request track-sc1 src table st_src_as2_monte unless
monte_as2_exceeds_limit
>From your example I see:
http-request track-sc0 path table test_be
But by replacing 'src' with 'path', rate-limiting did not work. My current
config after the change is :
backend st_src_as2_monte
stick-table type string len 64 size 1m expire 1s store http_req_rate(1s)
frontend scef
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /etc/ssl/private/as1.pem
mode http
option forwardfor
http-request track-sc1 path table st_src_as2_monte
acl monte_as2_api_url path_beg /api/v1/monitoring-event/A000002/
#500 requests per second.
acl monte_as1_exceeds_limit sc0_http_req_rate(st_src_as1_monte) gt 500
http-request deny deny_status 429 if monte_as2_api_url
monte_as2_exceeds_limit
use_backend nodes
Appreciate the response on this, and going further I will have to extend
the rate limiting to multiple url's .
Thanks
badari
On Wed, Feb 20, 2019 at 11:13 PM Jarno Huuskonen <[email protected]>
wrote:
> Hi,
>
> On Wed, Feb 20, Badari Prasad wrote:
> > Thank you for responding. Came up with based on the inputs:
> >
> > #printf "as2monte" | mkpasswd --stdin --method=md5
> > userlist AuthUsers_MONTE_AS2
> > user appuser_as2 password $1$t25fZ7Oe$bjthsMcXgbCt2EJvQo8r0/
> >
> > backend st_src_as2_monte
> > stick-table type string len 64 size 1000 expire 1s store
> > http_req_rate(1s)
> >
> > frontend scef
> > bind 0.0.0.0:80
> > bind 0.0.0.0:443 ssl crt /etc/ssl/private/as1.pem
> > mode http
> > #option httpclose
> > option forwardfor
> >
> > acl monte_as2_api_url url_beg /api/v1/monitoring-event/A000002/
> > #500 requests per second.
> > acl monte_as2_exceeds_limit src_http_req_rate(st_src_as2_monte) gt
> 500
> > http-request track-sc1 src table st_src_as2_monte unless
> > monte_as2_exceeds_limit
> > http-request deny deny_status 429 if monte_as2_api_url
> > monte_as2_exceeds_limit
>
> I'm confused :) what your requirements are but I think with
> this configuration each src address can have rate 500 to
> /api/v1/monitoring-event/A000002/. (so with 10 different src addresses
> you can have 5000 rate to /api/v1/monitoring-event/A000002/).
>
> (And you're using type string stick table, type ip or ipv6 is better
> fit for tracking src).
>
> But if it fits your requirements then I'm glad you found a working
> solution.
>
> -Jarno
>
> > http-request auth realm basicauth if monte_as2_api_url
> > !authorized_monte_as2
> >
> > use_backend nodes
> >
> > With this config I was able to rate limit per url basis.
> >
> > Thanks
> > badari
> >
> >
> >
> > On Tue, Feb 19, 2019 at 10:01 PM Jarno Huuskonen <[email protected]
> >
> > wrote:
> >
> > > Hi,
> > >
> > > On Mon, Feb 11, Badari Prasad wrote:
> > > > I want to rate limit based on url
> > > > [/api/v1/monitoring-event/A000001, /api/v1/client1/transfer_data,
> > > > /api/v1/client2/transfer_data ] no matter what the source ip
> address
> > > is.
> > >
> > > Something like this might help you. Unfortunately at the moment
> > > I don't have time to create a better example.
> > >
> > > acl api_a1 path_beg /a1
> > > acl api_b1 path_beg /b1
> > > acl rate_5 sc0_http_req_rate(test_be) gt 5
> > > acl rate_15 sc0_http_req_rate(test_be) gt 15
> > >
> > > # You might want to add acl so you'll only track paths you're
> > > # interested in.
> > > http-request track-sc0 path table test_be
> > > # if you want to track only /a1 /b1 part of path
> > > # you can use for example field converter:
> > > #http-request track-sc0 path,field(1,/,2) table test_be
> > > #http-request set-header X-Rate %[sc0_http_req_rate(test_be)]
> > >
> > > http-request deny deny_status 429 if api_a1 rate_5
> > > http-request deny deny_status 403 if api_b1 rate_15
> > >
> > > # adjust len and size etc. to your needs
> > > backend test_be
> > > stick-table type string len 40 size 20 expire 180s store
> > > http_req_rate(60s)
> > >
> > > -Jarno
> > >
> > > > On Mon, Feb 11, 2019 at 7:34 PM Jarno Huuskonen <
> [email protected]>
> > > > wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > On Mon, Feb 11, Badari Prasad wrote:
> > > > > > Thank you for the response. I came up with my own haproxy
> cfg,
> > > where
> > > > > i
> > > > > > would want to rate limit based on event name and client id in
> url.
> > > > > > URL ex : /api/v1/<event_name>/<clientid>
> > > > > >
> > > > > > Have attached a file for my haproxy cfg. But it does not seems
> to be
> > > > > rate
> > > > > > limiting the incoming requests.
> > > > >
> > > > > > backend st_src_monte
> > > > > > stick-table type string size 1m expire 10s store
> > > http_req_rate(10s)
> > > > > > ...
> > > > > >
> > > > > > acl monte_as1_exceeds_limit
> src_http_req_rate(st_src_as1_monte)
> > > gt 990
> > > > > > acl monte_in_limit src_http_req_rate(st_src_as1_monte) lt 1000
> > > > > > http-request track-sc0 src table st_src_as1_monte
> > > > >
> > > > > There's no st_src_as1_monte table in your example config, there's
> > > > > st_src_monte table.
> > > > >
> > > > > > http-request deny deny_status 429 if { path_beg
> > > > > /api/v1/monitoring-event/A000001 AND monte_as1_exceeds_limit }
> > > > >
> > > > > You're tracking connections with src, but the stick table is type
> > > string,
> > > > > have you checked from admin socket that the stick table has
> entries,
> > > > > something like:
> > > > > echo 'show table st_src_monte' | nc -U /var/lib/haproxy/stats
> > > > > (insted of nc -U, socat stdio /var/lib/haproxy/stats should also
> work).
> > > > >
> > > > > If you want to track src ip, then stick-table type ip or ipv6 is
> > > > > probably better.
> > > > >
> > > > > >> I would want to configure 1000 tps for url
> > > > > /api/v1/client1/transfer_data or
> > > > > >> 500 tps for /api/v1/client2/user_data and so on....
> > > > >
> > > > > Do you mean that only 1000 tps goes to
> > > > > /api/v1/client1/transfer_data (no matter what the source ip
> addresses
> > > > > are) or each source ip can send 1000 tps to
> > > /api/v1/client1/transfer_data ?
> > >
> > > --
> > > Jarno Huuskonen
> > >
>
> --
> Jarno Huuskonen
>
