Re: HAProxy concurrent HTTP query limit based on header

2020-04-18 Thread Jarno Huuskonen 
Hi,

On Fri, 2020-04-17 at 20:22 +0200, Olivier D wrote:
> Hello everyone,
> I would like to implement a "max concurrent connection" in HAProxy.
> This is easy to do at TCP level : 
> 
> stick-table  type ipv6 size 100k  expire 30s  store conn_cur
> http-request track-sc0 src
> http-request deny deny_status 429 if { src_conn_cur ge 20 }
> 
> But now, I want to do the same for concurrent HTTP queries, based on
> header 'X-Forwarded-For'. For example, I want to send a 429 error
> code if someone is sending an HTTP query when he already have 20
> ongoing.
> 
> My first tries are based on something like this : 
>stick-table type ipv6 size 100k  expire 30s  store
> http_req_rate(10s)
>http-request track-sc0 req.hdr( X-Forwarded-For )

Does it work if you use:
http-request track-sc0 req.hdr_ip(X-Forwarded-For)
(
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.3.6-req.hdr_ip
)

Do you get any entries in the stick-table (show table ... command to
stats socket).

-Jarno

>http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
> 
> but it doesn't seem to work the way I want ...

-- 
Jarno Huuskonen

Re: HAProxy concurrent HTTP query limit based on header

2020-04-17 Thread Olivier D 
Le ven. 17 avr. 2020 à 20:49, Tim Düsterhus  a écrit :

> Olivier,
>
> Am 17.04.20 um 20:22 schrieb Olivier D:
> > My first tries are based on something like this :
> >stick-table type ipv6 size 100k  expire 30s  store http_req_rate(10s)
> Not sure whether that's just an error in your email, but: You store a
> http_req_rate, not a number of connections.
>

You are correct, last test was
   stick-table type ipv6 size 100k  expire 30s  store conn_cur

 but It seems to not do what I want.

I'll check again on monday with some rest :)

Olivier


>
> >http-request track-sc0 req.hdr( X-Forwarded-For )
> >http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
> >
>
> Best regards
> Tim Düsterhus
>

Re: HAProxy concurrent HTTP query limit based on header

2020-04-17 Thread Tim Düsterhus 
Olivier,

Am 17.04.20 um 20:22 schrieb Olivier D:
> My first tries are based on something like this :
>stick-table type ipv6 size 100k  expire 30s  store http_req_rate(10s)
Not sure whether that's just an error in your email, but: You store a
http_req_rate, not a number of connections.

>http-request track-sc0 req.hdr( X-Forwarded-For )
>http-request deny deny_status 429 if { sc0_conn_cur ge 20 }
> 

Best regards
Tim Düsterhus

HAProxy concurrent HTTP query limit based on header

2020-04-17 Thread Olivier D 
Hello everyone,
I would like to implement a "max concurrent connection" in HAProxy. This is
easy to do at TCP level :

stick-table  type ipv6 size 100k  expire 30s  store conn_cur
http-request track-sc0 src
http-request deny deny_status 429 if { src_conn_cur ge 20 }

But now, I want to do the same for concurrent HTTP queries, based on header
'X-Forwarded-For'. For example, I want to send a 429 error code if someone
is sending an HTTP query when he already have 20 ongoing.

My first tries are based on something like this :
   stick-table type ipv6 size 100k  expire 30s  store http_req_rate(10s)
   http-request track-sc0 req.hdr( X-Forwarded-For )
   http-request deny deny_status 429 if { sc0_conn_cur ge 20 }

but it doesn't seem to work the way I want ...

Now I'm a bit lost, but maybe someone already implemented this ?

Thank you  !

Olivier