Le 3/4/22 à 00:42, Henning Svane a écrit :
Hi ChristopherI tried your rule and it did not compile, but I am trying to understand it. /haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' condition : no such ACL : 'http-response' I placed the rule in the frontend, but was thinking if it should be in the backend, as it is here server is called and hereby produce the return code. I understand the idea in your rule, but at the same time, I do not understand the order of execution. It looks like it has to be executed from the right with the " if { capture.req.uri -m beg /login } { status 401 }" first. But then what? If I understand correctly 1) You save the request url in a table with capture.req.uri. 2) Then server try to execute the url 3) Based on the server return the http-response (this part I have not fully understand yet) 4) If the response is 401 then " http-request tarpit deny_status 429" I will try to work a little more with you suggestion and see if I can get to work. Regards Henning haproxy02.cfg:20] : error detected while parsing an 'http-request tarpit' condition : no such ACL : 'http-response'.
Your email client seems to have mangled my reply. Or there is a formatting issue on my side. Anyway, it is not one rule with everything on one line, but 2 rules. An http-request one to deny the request on its own line and an http-response one to track login failures, on another line.
Both can be specified in the frontend, the backend or split. It depends on your other rules, if any. With your config snippet, it doesn't matter.
-- Christopher Faulet
