Re: tcp-request content track-sc2 with if statement doesn't work?
On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote: Hi list, Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to use this same kind of method in a frontend/backend configuration. I did change the method from POST to GET, for easier testing, but that doesn't matter for retrieving the gpc counter, does it? So i was trying to use this: tcp-request content track-sc1 base32+src if METH_GET login It however doesn't seem to work using HAProxy 1.5.3, the acl containing sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even though i have examined the stick-table and the gpc0 value there is increasing. If i change it to the following it starts working: tcp-request content track-sc1 base32+src Even though the use_backend in both cases checks those first criteria: acl flagged_as_abusersc1_get_gpc0 gt 0 use_backendpb3_453_http if METH_GET wp_login flagged_as_abuser Am i doing something wrong, is the blog outdated, or was a bug introduced somewhere? If more information perhaps -vv or full config is needed let me know, thanks for any reply. p.s. did anyone get my other emails a while back? [1] Kind regards, PiBa-NL [0] http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ [1] http://marc.info/?l=haproxym=140821298806125w=2 Hi, Plese let us know if you have the following configuration lines (or equivalent), before your tracking rule: tcp-request inspect-delay 10s tcp-request accept if HTTP Baptiste
Re: tcp-request content track-sc2 with if statement doesn't work?
On Sun, Sep 7, 2014 at 2:55 PM, PiBa-NL piba.nl@gmail.com wrote: Hi Baptiste, Thanks that fixes my issue indeed with the following: tcp-request inspect-delay 10s tcp-request content track-sc1 base32+src if METH_GET wp_login tcp-request content accept if HTTP I didn't think about inspect-delay because both frontend and backend are using 'mode http', and i only used to use inspect-delay with frontends using tcp mode. Though maybe the 'tcp-request' should have given my that hint. The 'accept' must be below the 'track-sc1' to make it work. Could you perhaps also add this to the blog article, or should i post a comment under it for other people to not fall into the same mistake? Thanks, PiBa-NL Baptiste schreef op 7-9-2014 11:38: On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote: Hi list, Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to use this same kind of method in a frontend/backend configuration. I did change the method from POST to GET, for easier testing, but that doesn't matter for retrieving the gpc counter, does it? So i was trying to use this: tcp-request content track-sc1 base32+src if METH_GET login It however doesn't seem to work using HAProxy 1.5.3, the acl containing sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even though i have examined the stick-table and the gpc0 value there is increasing. If i change it to the following it starts working: tcp-request content track-sc1 base32+src Even though the use_backend in both cases checks those first criteria: acl flagged_as_abusersc1_get_gpc0 gt 0 use_backendpb3_453_http if METH_GET wp_login flagged_as_abuser Am i doing something wrong, is the blog outdated, or was a bug introduced somewhere? If more information perhaps -vv or full config is needed let me know, thanks for any reply. p.s. did anyone get my other emails a while back? [1] Kind regards, PiBa-NL [0] http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ [1] http://marc.info/?l=haproxym=140821298806125w=2 Hi, Plese let us know if you have the following configuration lines (or equivalent), before your tracking rule: tcp-request inspect-delay 10s tcp-request accept if HTTP Baptiste Hi, Article updated. Baptiste
Re: tcp-request content track-sc2 with if statement doesn't work?
Baptiste schreef op 7-9-2014 17:13: On Sun, Sep 7, 2014 at 2:55 PM, PiBa-NL piba.nl@gmail.com wrote: Hi Baptiste, Thanks that fixes my issue indeed with the following: tcp-request inspect-delay 10s tcp-request content track-sc1 base32+src if METH_GET wp_login tcp-request content accept if HTTP I didn't think about inspect-delay because both frontend and backend are using 'mode http', and i only used to use inspect-delay with frontends using tcp mode. Though maybe the 'tcp-request' should have given my that hint. The 'accept' must be below the 'track-sc1' to make it work. Could you perhaps also add this to the blog article, or should i post a comment under it for other people to not fall into the same mistake? Thanks, PiBa-NL Baptiste schreef op 7-9-2014 11:38: On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote: Hi list, Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to use this same kind of method in a frontend/backend configuration. I did change the method from POST to GET, for easier testing, but that doesn't matter for retrieving the gpc counter, does it? So i was trying to use this: tcp-request content track-sc1 base32+src if METH_GET login It however doesn't seem to work using HAProxy 1.5.3, the acl containing sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even though i have examined the stick-table and the gpc0 value there is increasing. If i change it to the following it starts working: tcp-request content track-sc1 base32+src Even though the use_backend in both cases checks those first criteria: acl flagged_as_abusersc1_get_gpc0 gt 0 use_backendpb3_453_http if METH_GET wp_login flagged_as_abuser Am i doing something wrong, is the blog outdated, or was a bug introduced somewhere? If more information perhaps -vv or full config is needed let me know, thanks for any reply. p.s. did anyone get my other emails a while back? [1] Kind regards, PiBa-NL [0] http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ [1] http://marc.info/?l=haproxym=140821298806125w=2 Hi, Plese let us know if you have the following configuration lines (or equivalent), before your tracking rule: tcp-request inspect-delay 10s tcp-request accept if HTTP Baptiste Hi, Article updated. Baptiste Hi Baptiste, Thanks, however there are now 2 issues with that. - The 'accept' must be below the 'track-sc1' to make it work. (at least in my tests..) - Syntax error missing 'content' keyword in: tcp-request content accept if HTTP In the backend i didn't seem to need the inspect-delay, probably because the frontend has already filled buffers because it is in 'http' mode. Thanks, PiBa-NL
tcp-request content track-sc2 with if statement doesn't work?
Hi list, Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to use this same kind of method in a frontend/backend configuration. I did change the method from POST to GET, for easier testing, but that doesn't matter for retrieving the gpc counter, does it? So i was trying to use this: tcp-request content track-sc1 base32+src if METH_GET login It however doesn't seem to work using HAProxy 1.5.3, the acl containing sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even though i have examined the stick-table and the gpc0 value there is increasing. If i change it to the following it starts working: tcp-request content track-sc1 base32+src Even though the use_backend in both cases checks those first criteria: acl flagged_as_abusersc1_get_gpc0 gt 0 use_backendpb3_453_http if METH_GET wp_login flagged_as_abuser Am i doing something wrong, is the blog outdated, or was a bug introduced somewhere? If more information perhaps -vv or full config is needed let me know, thanks for any reply. p.s. did anyone get my other emails a while back? [1] Kind regards, PiBa-NL [0] http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/ [1] http://marc.info/?l=haproxym=140821298806125w=2