On Fri, Feb 24, 2023 at 10:18:14AM -0700, Bryan Arenal wrote:
> And would this work to reject any request that has the
> 'X-Forwarded-For' header?
>
> acl is-forwarded hdr_sub(x-forwarded-for)
> http-request reject if is-forwarded
No, not like this, as you're searching for sub-strings in this header
name but provide no substring. Instead just use the "found" match
method, which only searches for the element:
acl is-forwarded hdr(x-forwarded-for) -m found
http-request reject if is-forwarded
or:
http-request reject if { hdr(x-forwarded-for) -m found }
Note that I tend to find it more convenient to use anonymous ACLs like
above for simple definitions, especially when you're dealing with attacks
that tend to quickly require a lot of patterns, and when ACL names can
quickly become misleading. However declaring ACLs by names remains much
more convenient when you're starting to combine them. I think that
"is-forwarded" is sufficiently self-explanatory and definitely satisfies
this use case, but it was just to give an example.
> How resource intensive do you think this would this be?
It's very light. Just to give you an example, on my laptop, with one
single core assigned to haproxy, a config matching this rule achieves
133000 connections per second on a single core. And when the rule does
not match, just searching for it lowers the perf from 198k to 192k RPS
per core, or 158 nanoseconds of CPU for the whole rule evaluation, a
part of which is amortized if several rules are evaluated. 10 of them
only consume 832 ns here so the cost of starting evaluation is 75ns then
83ns per rule. It's reasonable to use a handful of such rules to fight
a DDoS if you need. The most important is to provide the least possible
information to the attacker about what you're detecting and how you
proceed (e.g. silent-drop and tarpit are great for this).
Willy
