Re: limiting conn-curs per-ip using x-forwarded-for
I sniffed the traffic on haproxy and the requests looks fine: GET /php-sleep.php?43 HTTP/1.1 User-Agent: curl/7.35.0 Host: kms.example.org Accept: */* X-Forwarded-For: 123.149.124.91 HTTP/1.1 200 OK Server: Apache Content-Type: text/html; charset=UTF-8 Content-Length: 34 Accept-Ranges: bytes Date: Tue, 14 Apr 2015 07:03:40 GMT X-Varnish: 2130622187 2130622186 Age: 0 Via: 1.1 varnish Connection: keep-alive X-Varnish-Cache: HIT X-Varnish-Cache-Hits: 1 FinishSlept for 43 seconds but while the requests are running the table is empty: # table: kms-ds-nocache, type: ip, size:102400, used:0 Klavs Klavsen wrote on 04/14/2015 08:49 AM: Hi Baptiste, Thank you very much for your help. Unfortunately it didn't work.. I tried this: frontend kms-ds-nocache bind x.x.x.x:80 mode http balance roundrobin default_backend kms-ds-backend option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request content accept if HTTP tcp-request content reject if { sc1_conn_cur ge 2 } tcp-request content track-sc1 hdr(X-Forwarded-For) tcp-request inspect-delay 5s and I was still able to have 5 connections.. (I call a php script, using curl which sleeps for 40 seconds :) Baptiste wrote on 04/09/2015 11:28 PM: Hi Klavs, Please give a try to the configuration below: frontend nocache mode http .. option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request inspect-delay 5s tcp-request content accept if HTTP tcp-request content track-sc1 hdr(X-Forwarded-For) tcp-request content reject if { sc1_conn_cur ge 10 } 'tcp-request connection' is executed when the connection has just arrived into HAProxy. So the header X-Forwarded-For might not yet be read already. the conf above uses the 'tcp-request content' instead, and to be sure we'll find the header, I've added the inspect delay which accept the request once the buffer is confirmed to contain HTTP. Baptiste On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen wrote: Back from easter vacation :) Baptiste wrote on 03/25/2015 10:30 AM: Hi, some useful examples can be taken from this blog post: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Just replace src by hdr(X-Forwarded-For). Tried: frontend nocache mode http .. option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request connection reject if { src_conn_cur ge 10 } tcp-request connection track-sc1 hdr(X-Forwarded-For) .. but haproxy complains: 'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)' extracts information from 'HTTP request headers,HTTP response headers', none of which is available here I took the example from http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ :( -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Hi Baptiste, Thank you very much for your help. Unfortunately it didn't work.. I tried this: frontend kms-ds-nocache bind x.x.x.x:80 mode http balance roundrobin default_backend kms-ds-backend option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request content accept if HTTP tcp-request content reject if { sc1_conn_cur ge 2 } tcp-request content track-sc1 hdr(X-Forwarded-For) tcp-request inspect-delay 5s and I was still able to have 5 connections.. (I call a php script, using curl which sleeps for 40 seconds :) Baptiste wrote on 04/09/2015 11:28 PM: Hi Klavs, Please give a try to the configuration below: frontend nocache mode http .. option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request inspect-delay 5s tcp-request content accept if HTTP tcp-request content track-sc1 hdr(X-Forwarded-For) tcp-request content reject if { sc1_conn_cur ge 10 } 'tcp-request connection' is executed when the connection has just arrived into HAProxy. So the header X-Forwarded-For might not yet be read already. the conf above uses the 'tcp-request content' instead, and to be sure we'll find the header, I've added the inspect delay which accept the request once the buffer is confirmed to contain HTTP. Baptiste On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen wrote: Back from easter vacation :) Baptiste wrote on 03/25/2015 10:30 AM: Hi, some useful examples can be taken from this blog post: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Just replace src by hdr(X-Forwarded-For). Tried: frontend nocache mode http .. option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request connection reject if { src_conn_cur ge 10 } tcp-request connection track-sc1 hdr(X-Forwarded-For) .. but haproxy complains: 'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)' extracts information from 'HTTP request headers,HTTP response headers', none of which is available here I took the example from http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ :( -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Hi Klavs, Please give a try to the configuration below: frontend nocache mode http .. option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request inspect-delay 5s tcp-request content accept if HTTP tcp-request content track-sc1 hdr(X-Forwarded-For) tcp-request content reject if { sc1_conn_cur ge 10 } 'tcp-request connection' is executed when the connection has just arrived into HAProxy. So the header X-Forwarded-For might not yet be read already. the conf above uses the 'tcp-request content' instead, and to be sure we'll find the header, I've added the inspect delay which accept the request once the buffer is confirmed to contain HTTP. Baptiste On Tue, Apr 7, 2015 at 12:33 PM, Klavs Klavsen wrote: > Back from easter vacation :) > > Baptiste wrote on 03/25/2015 10:30 AM: >> >> Hi, >> >> some useful examples can be taken from this blog post: >> >> http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ >> >> Just replace src by hdr(X-Forwarded-For). >> > > Tried: > > frontend nocache > mode http > .. > option httplog > option accept-invalid-http-request > stick-table type ip size 100k expire 30s store conn_cur > tcp-request connection reject if { src_conn_cur ge 10 } > tcp-request connection track-sc1 hdr(X-Forwarded-For) > .. > > but haproxy complains: > 'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)' > extracts information from 'HTTP request headers,HTTP response headers', none > of which is available here > > I took the example from > http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ > > :( > > > -- > Regards, > Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 > > "Those who do not understand Unix are condemned to reinvent it, poorly." > --Henry Spencer > >
Re: limiting conn-curs per-ip using x-forwarded-for
Back from easter vacation :) Baptiste wrote on 03/25/2015 10:30 AM: Hi, some useful examples can be taken from this blog post: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Just replace src by hdr(X-Forwarded-For). Tried: frontend nocache mode http .. option httplog option accept-invalid-http-request stick-table type ip size 100k expire 30s store conn_cur tcp-request connection reject if { src_conn_cur ge 10 } tcp-request connection track-sc1 hdr(X-Forwarded-For) .. but haproxy complains: 'tcp-request connection track-sc1' : fetch method 'hdr(X-Forwarded-For)' extracts information from 'HTTP request headers,HTTP response headers', none of which is available here I took the example from http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ :( -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Hi, some useful examples can be taken from this blog post: http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/ Just replace src by hdr(X-Forwarded-For). Baptiste On Tue, Mar 24, 2015 at 5:58 PM, Jarno Huuskonen wrote: > Hi, > > On Tue, Mar 24, Klavs Klavsen wrote: >> I now have: >> stick-table type string size 100k store conn_cur,gpc0 >> stick store-request hdr(X-Forwarded-For,-1) >> tcp-request content track-sc2 hdr(X-Forwarded-For) >> acl allowed sc2_conn_cur lt 2 >> block unless allowed > > tcp-request inspect-delay ? > Most of the examples seem to use inspect-delay: > http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20content > >> shouldn't the key - be the x-forwarded-for header? > > Have you checked that the requests have (one) x-forwarded-for header ? > hdr(X-Forwarded-For) = first header, and hdr(X-Forwarded-For,-1) = last > header. > (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-req.hdr) > > And is the haproxy ip the only one thats in the stick table ? > > -Jarno > > -- > Jarno Huuskonen >
Re: limiting conn-curs per-ip using x-forwarded-for
Thanks, I sent request previously to you but I have done it. Ha. - Original Message - From: "Jarno Huuskonen" To: "Klavs Klavsen" Cc: haproxy@formilux.org Sent: Tuesday, March 24, 2015 9:23:04 AM Subject: Re: limiting conn-curs per-ip using x-forwarded-for Hi, On Tue, Mar 24, Klavs Klavsen wrote: > #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout > stick-table type ip size 30 expire 5m store gpc0 > #populate the table with the X-Forwarded-For header > stick store-request hdr(X-Forwarded-For) You've created type ip stick table, but I think hdr(X-Forwarded-For) returns a string. Do you see any entries in the stick table: show table nocache -> to stats socket Maybe it's possible to use one of the converters to map str -> ip (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map) or try with a string stick table: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-stick-table -Jarno -- Jarno Huuskonen
Re: limiting conn-curs per-ip using x-forwarded-for
Thanks, I sent request previously to you but I have done it. Ha. - Original Message - From: "Klavs Klavsen" To: "Mark S." , haproxy@formilux.org Sent: Tuesday, March 24, 2015 10:56:03 AM Subject: Re: limiting conn-curs per-ip using x-forwarded-for Mark S. wrote on 03/24/2015 03:36 PM: > Hi Klavs, > > Try using this in the backend section for the track-sc2 statement to use > the previous instance of the Forwarded-For header. > > I have a version of this working in a similar fashion, but I am using a > "stick-table type binary" instead of string - it probably works both > ways, but I haven't tested type string. I'm using http_req_rate as I'm > concerned about the rate rather than the number of active connections. > > stick-table type binary len 32 size 5k expire 5m store > http_req_rate(10s),gpc0 > tcp-request content track-sc2 hdr(X-Forwarded-For,-1) > Thank you Mark, It did help.. somewhat.. now first connection is allowed :) I now have: stick-table type string size 100k store conn_cur,gpc0 stick store-request hdr(X-Forwarded-For,-1) tcp-request content track-sc2 hdr(X-Forwarded-For) acl allowed sc2_conn_cur lt 2 block unless allowed But everyone gets blocked - when one connection is active.. (ie. not just the source of that one connection). show table shows this: table: kk.dk-ds-backend, type: string, size:102400, used:2 0x1304dfc: key=10.27.174.10 use=1 exp=0 server_id=1 gpc0=0 conn_cur=1 shouldn't the key - be the x-forwarded-for header? [CUT] -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Thanks, I sent request previously to you but I have done it. Ha. - Original Message - From: "Jarno Huuskonen" To: "Klavs Klavsen" Cc: haproxy@formilux.org Sent: Tuesday, March 24, 2015 12:58:21 PM Subject: Re: limiting conn-curs per-ip using x-forwarded-for Hi, On Tue, Mar 24, Klavs Klavsen wrote: > I now have: > stick-table type string size 100k store conn_cur,gpc0 > stick store-request hdr(X-Forwarded-For,-1) > tcp-request content track-sc2 hdr(X-Forwarded-For) > acl allowed sc2_conn_cur lt 2 > block unless allowed tcp-request inspect-delay ? Most of the examples seem to use inspect-delay: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20content > shouldn't the key - be the x-forwarded-for header? Have you checked that the requests have (one) x-forwarded-for header ? hdr(X-Forwarded-For) = first header, and hdr(X-Forwarded-For,-1) = last header. (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-req.hdr) And is the haproxy ip the only one thats in the stick table ? -Jarno -- Jarno Huuskonen
Re: limiting conn-curs per-ip using x-forwarded-for
Hi, On Tue, Mar 24, Klavs Klavsen wrote: > I now have: > stick-table type string size 100k store conn_cur,gpc0 > stick store-request hdr(X-Forwarded-For,-1) > tcp-request content track-sc2 hdr(X-Forwarded-For) > acl allowed sc2_conn_cur lt 2 > block unless allowed tcp-request inspect-delay ? Most of the examples seem to use inspect-delay: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-tcp-request%20content > shouldn't the key - be the x-forwarded-for header? Have you checked that the requests have (one) x-forwarded-for header ? hdr(X-Forwarded-For) = first header, and hdr(X-Forwarded-For,-1) = last header. (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.6-req.hdr) And is the haproxy ip the only one thats in the stick table ? -Jarno -- Jarno Huuskonen
Re: limiting conn-curs per-ip using x-forwarded-for
Mark S. wrote on 03/24/2015 03:36 PM: Hi Klavs, Try using this in the backend section for the track-sc2 statement to use the previous instance of the Forwarded-For header. I have a version of this working in a similar fashion, but I am using a "stick-table type binary" instead of string - it probably works both ways, but I haven't tested type string. I'm using http_req_rate as I'm concerned about the rate rather than the number of active connections. stick-table type binary len 32 size 5k expire 5m store http_req_rate(10s),gpc0 tcp-request content track-sc2 hdr(X-Forwarded-For,-1) Thank you Mark, It did help.. somewhat.. now first connection is allowed :) I now have: stick-table type string size 100k store conn_cur,gpc0 stick store-request hdr(X-Forwarded-For,-1) tcp-request content track-sc2 hdr(X-Forwarded-For) acl allowed sc2_conn_cur lt 2 block unless allowed But everyone gets blocked - when one connection is active.. (ie. not just the source of that one connection). show table shows this: table: kk.dk-ds-backend, type: string, size:102400, used:2 0x1304dfc: key=10.27.174.10 use=1 exp=0 server_id=1 gpc0=0 conn_cur=1 shouldn't the key - be the x-forwarded-for header? [CUT] -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
hmm. it says: : 'stick' ignored because frontend 'nocache' has no backend capability. it seems it has to be on the backend.. When set on the backend, I get an entry in the list: # table: kk.dk-ds-backend, type: ip, size:1024, used:1 0x14b25c8: key=10.27.174.10 use=0 exp=296637 server_id=0 gpc0=0 (with stick table of type ip) and with stable table type string: # table: kk.dk-ds-backend, type: string, size:1024, used:1 0x1d84d18: key=10.27.174.10 use=0 exp=267770 server_id=1 gpc0=0 the key (10.27.174.10) is the ip of the haproxy server.. :( And no matter - it denied EVERY request to the server when I set the block.. :( So when I have 3 backends - behind the same frontend, I have Jarno Huuskonen wrote on 03/24/2015 02:23 PM: Hi, On Tue, Mar 24, Klavs Klavsen wrote: #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout stick-table type ip size 30 expire 5m store gpc0 #populate the table with the X-Forwarded-For header stick store-request hdr(X-Forwarded-For) You've created type ip stick table, but I think hdr(X-Forwarded-For) returns a string. Do you see any entries in the stick table: show table nocache -> to stats socket Maybe it's possible to use one of the converters to map str -> ip (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map) or try with a string stick table: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-stick-table -Jarno -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Tried converting it to type: string.. but its always empty :( # table: nocache, type: string, size:1024, used:0 # table: nocache, type: ip, size:30, used:0 The frontend config is: mode http acl allowed sc2_conn_cur lt 2 balance roundrobin default_backend ds-backend option httplog option accept-invalid-http-reques stick store-request hdr(X-Forwarded-For) stick-table type string len 20 expire 5m store gpc0 tcp-request content track-sc2 hdr(X-Forwarded-For) Jarno Huuskonen wrote on 03/24/2015 02:23 PM: Hi, On Tue, Mar 24, Klavs Klavsen wrote: #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout stick-table type ip size 30 expire 5m store gpc0 #populate the table with the X-Forwarded-For header stick store-request hdr(X-Forwarded-For) You've created type ip stick table, but I think hdr(X-Forwarded-For) returns a string. Do you see any entries in the stick table: show table nocache -> to stats socket Maybe it's possible to use one of the converters to map str -> ip (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map) or try with a string stick table: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-stick-table -Jarno -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Hi, On Tue, Mar 24, Klavs Klavsen wrote: > #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout > stick-table type ip size 30 expire 5m store gpc0 > #populate the table with the X-Forwarded-For header > stick store-request hdr(X-Forwarded-For) You've created type ip stick table, but I think hdr(X-Forwarded-For) returns a string. Do you see any entries in the stick table: show table nocache -> to stats socket Maybe it's possible to use one of the converters to map str -> ip (http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.3.1-map) or try with a string stick table: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-stick-table -Jarno -- Jarno Huuskonen
Re: limiting conn-curs per-ip using x-forwarded-for
I tried acl allowed sc2_conn_cur lt 2 block unless allowed it blocked every access :( Klavs Klavsen wrote on 03/24/2015 01:19 PM: Can I perhaps do something like: tcp-request content track-sc2 hdr(X-Forwarded-For) acl conn_limit_hit sc2_conn_cur gt 2 ? Klavs Klavsen wrote on 03/24/2015 01:11 PM: Hi, We would like to limit how many connections a given IP can send to our backend. Our setup is like this: haproxy -> varnish -> haproxy -> webservers and we'd like to have the frontend behind varnish (we call it nocache :) limit concurrent connections any IP can have.. (to 1 or 2 is the idea).. I've googled and read.. and it seems stick-table should be used.. My current setup looks something like this (based/stolen from http://fotoarkiv.com/wordpress/limiting-the-number-of-active-users-on-a-site-using-haproxy/ ): frontend nocache .. #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout stick-table type ip size 30 expire 5m store gpc0 #populate the table with the X-Forwarded-For header stick store-request hdr(X-Forwarded-For) #allow new users if we have more than 1 available slot in the stick table acl allowed table_avl(nocache) gt 1 #if not allowed above, go away block unless allowed but it looks for "available slots in stick-table".. I'd like to simply block if the ip already has more than 2 connections.. I figured I could use src_conn_cnt.. but I need it to use the ip in X-Forwarded-For.. How can I do that? Thank you in advance -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer
Re: limiting conn-curs per-ip using x-forwarded-for
Can I perhaps do something like: tcp-request content track-sc2 hdr(X-Forwarded-For) acl conn_limit_hit sc2_conn_cur gt 2 ? Klavs Klavsen wrote on 03/24/2015 01:11 PM: Hi, We would like to limit how many connections a given IP can send to our backend. Our setup is like this: haproxy -> varnish -> haproxy -> webservers and we'd like to have the frontend behind varnish (we call it nocache :) limit concurrent connections any IP can have.. (to 1 or 2 is the idea).. I've googled and read.. and it seems stick-table should be used.. My current setup looks something like this (based/stolen from http://fotoarkiv.com/wordpress/limiting-the-number-of-active-users-on-a-site-using-haproxy/ ): frontend nocache .. #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout stick-table type ip size 30 expire 5m store gpc0 #populate the table with the X-Forwarded-For header stick store-request hdr(X-Forwarded-For) #allow new users if we have more than 1 available slot in the stick table acl allowed table_avl(nocache) gt 1 #if not allowed above, go away block unless allowed but it looks for "available slots in stick-table".. I'd like to simply block if the ip already has more than 2 connections.. I figured I could use src_conn_cnt.. but I need it to use the ip in X-Forwarded-For.. How can I do that? Thank you in advance -- Regards, Klavs Klavsen, GSEC, kl...@enableit.dk - Tlf. +45 612 812 00 EnableIT - Open Source Server, Security and Network Consulting "Open Source Software - Sometimes you get more than you paid for."
limiting conn-curs per-ip using x-forwarded-for
Hi, We would like to limit how many connections a given IP can send to our backend. Our setup is like this: haproxy -> varnish -> haproxy -> webservers and we'd like to have the frontend behind varnish (we call it nocache :) limit concurrent connections any IP can have.. (to 1 or 2 is the idea).. I've googled and read.. and it seems stick-table should be used.. My current setup looks something like this (based/stolen from http://fotoarkiv.com/wordpress/limiting-the-number-of-active-users-on-a-site-using-haproxy/ ): frontend nocache .. #create a stick-table of 30 IPs for storing active IPs, 5 minute timeout stick-table type ip size 30 expire 5m store gpc0 #populate the table with the X-Forwarded-For header stick store-request hdr(X-Forwarded-For) #allow new users if we have more than 1 available slot in the stick table acl allowed table_avl(nocache) gt 1 #if not allowed above, go away block unless allowed but it looks for "available slots in stick-table".. I'd like to simply block if the ip already has more than 2 connections.. I figured I could use src_conn_cnt.. but I need it to use the ip in X-Forwarded-For.. How can I do that? Thank you in advance -- Regards, Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200 "Those who do not understand Unix are condemned to reinvent it, poorly." --Henry Spencer