Hello,

I'm investigating an issue on specific rules for a customer.
The rules are the following :

    stick-table type ipv6 size 60000 expire 1h store conn_cur,conn_rate(10s)
    http-request deny deny_status 429 if { src_conn_cur ge 100  }
    http-request deny deny_status 429 if { src_conn_rate ge 600 }

The expected behaviour is to throw an error if a single IP has more than
100 connections or if it tries to open more than 600 connections in 10s.

So first, can you confirm the rules are written correctly ? :)

If so, the issue here is that the customer is reporting having 429 errors
himself. He was able to troubleshoot these errors to a specific page on his
website, with hundreds of images loaded simultaneously. The connection is
performed with HTTP2.
In my mind, src_conn_cur and src_conn_rate are incremented only when a new
TCP connection is triggered on the frontend. But maybe I dont understand it
correctly and the hundreds of simultaneous streams in a single http2
connection triggers the limit ?

Any hint would help to understand what's happening here. It's difficult as
I don't have direct access to rules or the website of course :)

Olivier

Reply via email to