stick tables and url_param + post headers - counter‏

2015-10-25 Thread Roland RoLaNd 

Hello,
I am trying to rate limit requests depending on their specific identifier which 
is sent either as a post header or a query string parameter.
Below is my starting config (am i mistaken to be using this ? ) 
stick-table type string len 70 size 5M expire 1m store 
gpc0_rate(60s),conn_cnt,conn_cur,conn_rate(60s),sess_cnt,sess_rate(60s),http_req_rate(60s)
 stick on url_param(uid)

my hope is to use a throttled backend, if connections within 1 minute from the 
same UID (query string or post header) exceeds  30
I have the same setup working with IPs though im finding it a bit tricky to do 
the same with qs/headers

Any advice on the right direction? i am not confident with the above 
counters

RE: rate limiting according to "total time" - possible ?

2015-09-14 Thread Roland RoLaNd 
That's exactly what i wanted!!
thank you willy


> Date: Mon, 14 Sep 2015 07:38:08 +0200
> From: w...@1wt.eu
> To: r_o_l_a_...@hotmail.com
> CC: haproxy@formilux.org
> Subject: Re: rate limiting according to "total time" - possible ?
> 
> Hi Roland,
> 
> On Fri, Sep 11, 2015 at 05:11:11PM +0300, Roland RoLaNd wrote:
> > hello
> > i have haproxy directing traffic to a number of backends.
> > these backends can auto scale upon traffic; my goal is to change "maxcon" 
> > depending on "total time" or "backend time"  that a request took to 
> > complete.
> > for example:
> > if totaltime < 1 second ; maxcon = 1000if totaltime < 2 second: maxconn = 
> > 500etc...
> > 
> > the goal is to hold connections in queue till backend auto scaling is in 
> > effect.
> > 
> > Can i do the above scenario within haproxy config or a cron that checks 
> > haproxy socket/totaltime and act accordingly is a better idea?
> > 
> > do you have an alternative advice for me to accomplish that goal ?
> 
> I could be wrong, but I think you're trying to re-implement by hand the
> dynamic rate limiting you can get using minconn,maxconn and fullconn. It
> dynamically increases or decreases the effective per-server maxconn
> depending on the total number of connections on all servers in the
> backend so that queues decrease when connection count increases.
> 
> Willy
> 
>

rate limiting according to "total time" - possible ?

2015-09-11 Thread Roland RoLaNd 
hello
i have haproxy directing traffic to a number of backends.
these backends can auto scale upon traffic; my goal is to change "maxcon" 
depending on "total time" or "backend time"  that a request took to complete.
for example:
if totaltime < 1 second ; maxcon = 1000if totaltime < 2 second: maxconn = 
500etc...

the goal is to hold connections in queue till backend auto scaling is in effect.

Can i do the above scenario within haproxy config or a cron that checks haproxy 
socket/totaltime and act accordingly is a better idea?

do you have an alternative advice for me to accomplish that goal ?
Thanks in advance

Change route on http_err_cnt

2015-05-27 Thread Roland RoLaNd 
Stick table /request tracking inquiry:

is it possible to  traffic to a different backend when http error (5xx/4xx) 
goes higher than a certain threshold ?
my config is as such:
 acl phoenix_bound path_beg -i -f /etc/haproxy/phoenix_bound.lst
  use_backend phoenix if phoenix_bound

My end goal is to accomplish this condition
IF (http status code) from (phoenix backend)  399   count  100  ; then 
use_backend catch_all for al subsequent requests till there are no more errors 


I am reading up on stick tables and tracking ; but i am confused with the 
enormous things that can be done with such options so a nudge in the right 
direction would be greatly appreciated


Another question if possible: is it possible to set counters for query string 
parameters ?  for example counting how many requests a specific user id have 
made to a specific backend

stick-table and conn_rate question

2015-05-27 Thread Roland RoLaNd 
managed to successfully reject access from specific users depending on 
condition; but what i eventually want is to provide them with a certain page 
instead of reject (redirect isn't an option) 


backend phoenix
stick-table type string len 40 size 5M expire 2m store 
conn_rate(60s)tcp-request inspect-delay 10sstick on url_param(sid) table 
phoenixtcp-request content track-sc0 url_param(sid)errorfile 200 
/etc/haproxy/custom_response/phoenix.http if { sc0_conn_rate gt 10 }

checking socket; the conn rate is above 10:0x8581a0: 
key=100testing01 use=0 exp=119272 server_id=1 conn_rate(6)=90

  i think the problem is that condition should be set in frontend config in a 
way that points to the phoenix table instead of the default frontend table... 
any advice?

frequent NOSRV/SC log hits behind AWS ELB

2015-03-10 Thread Roland RoLaNd 
Hello,
i am running haproxy version: 1.5.11 on EC2 instances behind an AWS load 
balancer
lately i am noticing a lot of 503 forbidden logs with SC as termination state 
due to nosrv error
my backend servers(which are behind an ELB of their own) are all healthy and 
responsive
moreover i set a loop that checks port 80 between haproxy and backend servers; 
and it never failed; it was checking the connection every 10 ms 
this is a log sample:
 Mar 10 10:33:50  api haproxy[1056]: 172.16.100.169:15235 
[10/Mar/2015:10:33:50.905] API API/NOSRV 8/-1/-1/-1/8 503 213 - - SC-- 
79/79/0/0/0 0/0 {177.103.215.19|Dalvik/1.6.0 (Linux; U; Android 4.4.4; XT1032 
Build/KXB21.14-L1.} POST /api/v2.3/androidevent?buildnumber=1.10 HTTP/1.1

and this is my current config:
globallog /dev/loglocal0log /dev/loglocal1 notice   
 chroot /var/lib/haproxystats socket /run/haproxy/admin.sock mode 660 
level adminstats timeout 30suser haproxygroup haproxy   
 maxconn 65000daemon
# Default SSL material locationsca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.# For 
more information, see ciphers(1SSL).ssl-default-bind-ciphers 
kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL 
   ssl-default-bind-options no-sslv3
defaultslog globalmodehttpoption  httplog   
 option  dontlognulltimeout connect 1timeout client  5  
  timeout server  5# users which we are redrecting no where, 
example rejected will die in 50 mstimeout tarpit  50errorfile 
400 /etc/haproxy/errors/400.httperrorfile 403 
/etc/haproxy/errors/403.httperrorfile 408 /etc/haproxy/errors/408.http  
  errorfile 500 /etc/haproxy/errors/500.httperrorfile 502 
/etc/haproxy/errors/502.httperrorfile 503 /etc/haproxy/errors/503.http  
  errorfile 504 /etc/haproxy/errors/504.httpbalance roundrobin  
  # keeps keep alive between client and proxy but disable it between proxy and 
backednoption http-server-closeoption forwardfor 
option redispatch   retries 99 frontend API bind *:80

maxconn 6 # Blacklist: Deny access to some IPs before 
anything else is checkedtcp-request content reject if { src -f 
/etc/haproxy/blacklist.lst }  http-request set-header 
X-custom-http-scheme %[hdr(X-Forwarded-Proto)]
   stick-table type ip size 500k expire 30s store 
conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(10s) 
option http-server-close# elb logs pubc ips capture 
request header X-Forwarded-For len 50capture request header User-Agent 
len 64acl network_allowed src x.x.x.xacl 
restricted_page path_beg /restrictedhttp-request deny if 
restricted_page !network_allowed# direct uris to 
propper elbacl uri_api path_beg /apiacl 
uri_wdev path_beg /wdevacl uri_staging path_beg /staging
use_backend api if uri_apiuse_backend wdev if 
uri_wdevuse_backend staging if uri_staging 

default_backend API
backend APIserver API  ELB_CNAME:80 check  backend wdevserver 
wdev  ELB_CNAME:80 check  backend stagingserver staging  ELB_CNAME:80 
check