On Fri, Feb 24, 2023 at 10:18:14AM -0700, Bryan Arenal wrote: > And would this work to reject any request that has the > 'X-Forwarded-For' header? > > acl is-forwarded hdr_sub(x-forwarded-for) > http-request reject if is-forwarded
No, not like this, as you're searching for sub-strings in this header name but provide no substring. Instead just use the "found" match method, which only searches for the element: acl is-forwarded hdr(x-forwarded-for) -m found http-request reject if is-forwarded or: http-request reject if { hdr(x-forwarded-for) -m found } Note that I tend to find it more convenient to use anonymous ACLs like above for simple definitions, especially when you're dealing with attacks that tend to quickly require a lot of patterns, and when ACL names can quickly become misleading. However declaring ACLs by names remains much more convenient when you're starting to combine them. I think that "is-forwarded" is sufficiently self-explanatory and definitely satisfies this use case, but it was just to give an example. > How resource intensive do you think this would this be? It's very light. Just to give you an example, on my laptop, with one single core assigned to haproxy, a config matching this rule achieves 133000 connections per second on a single core. And when the rule does not match, just searching for it lowers the perf from 198k to 192k RPS per core, or 158 nanoseconds of CPU for the whole rule evaluation, a part of which is amortized if several rules are evaluated. 10 of them only consume 832 ns here so the cost of starting evaluation is 75ns then 83ns per rule. It's reasonable to use a handful of such rules to fight a DDoS if you need. The most important is to provide the least possible information to the attacker about what you're detecting and how you proceed (e.g. silent-drop and tarpit are great for this). Willy