rate-limiting - per src per path
Hi, Is it possible to rate-limit requests per-path-per-src. Sticky-table can be type IP or type String. tcp-request can be either connection or content. I am not an expert and hence the doubt. There are examples on the web but not explained if both src and path can be checked for rate-limiting. Below is a description of the need in raw words ; 15:44:08 ‹Leo› Client might do anything, like open a page, check some data.. Those actions are fine 15:44:35 ‹Leo› But we have API 15:45:18 ‹Leo› this API url will return latest data like latest price 15:45:47 ‹Leo› or some API will submit an order 15:46:35 ‹Leo› those actions will take many resource. So we have to limit it 15:47:14 ‹Leo› like your can't get latest price more than 10 time each second 15:47:50 ‹Leo› like you can't submit an order more than 5 time each second 15:48:48 ‹Leo› but we can't limit people open page 15:48:57 ‹Leo› or doing other stuff Regards, Long Wu Yuan 龙 武 缘 Sr. Linux Engineer 高级工程师 ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space 1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室 24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946 We are hiring! http://careers.chinanetcloud.com | Customer Portal - https://customer-portal.service.chinanetcloud.com/
Re: using environment variable in headers
On 06/01/2015 08:42 μμ, Cyril Bonté wrote: Hi Pavlos, Le 06/01/2015 20:17, Pavlos Parissis a écrit : Hi, According to the docs I can have the following snippet http-request add-header Nodename %[env(HOSTNAME)] to set the hostname as the value on a header. But, it doesn't work. I network trace and Nginx logs show no value. Please ensure that you exported the environment variable first, to make it available to the process. Oh boy, I am an idiot:-( Thanks a lot Cyril, Pavlos signature.asc Description: OpenPGP digital signature
Send client to a specific backend if header found in previous reply from server
Hello, This is a followup to my post and Baptiste's answer on 20141120. Unfortunately, I couldn't get this to work. I am trying to achieve the following : when a response from the application server contains a header named X-test, send the following requests from the client IP to another backend. The goal is to send clients who abuse the servers to a slower queue. Here is my current config : In the frontend: stick-table type ip size 50k expire 5m store gpc0 tcp-request content track-sc2 src #use_backend slow if { sc2_get_gpc0 gt 0 } In the backend: acl mark_as_CPUusage sc2_inc_gpc0 gt 0 acl unmark_as_CPUusage sc2_clr_gpc0 gt 0 tcp-response content accept if { res.hdr(X-test) -m found } mark_as_CPUusage #tcp-response content accept if ! { res.hdr(X-test) -m found } unmark_as_CPUusage I used capture response header to confirm that the application server sends the X-test header for some clients. By querying the stats through unix socket commands, I get gpc0=0 for every client IP, so this doesn't seem to work. Any idea about what I'm missing ? Sylvain.
rspitarpit ?
We're getting some congestion from blind-shooting (or maybe just stupid-shooting) scrapers who make (mostly bad) requests, with occasional successes. We'd like to tarpit unsuccessful responses. Any experience on how to accomplish that ? ( A rspitarpit directive would be awesome ) Kudos on an awesome tool, ...jfree
Stick table and http headers
Hi, Does this seem right? acl HAS_CF_CONNECTING_IP hdr_cnt(CF-Connecting-IP) eq 1 acl HAS_X_FORWARDED_FOR hdr_cnt(x-forwarded-for) eq 1 tcp-request content track-sc0 hdr_ip(CF-Connecting-IP,-1) if HTTP HAS_CF_CONNECTING_IP tcp-request content track-sc0 hdr_ip(x-forwarded-for,-1) if HTTP !HAS_CF_CONNECTING_IP HAS_X_FORWARDED_FOR So use CF-Connecting-IP if present, X-Forwarded-For else. Thanks, Mathias
errorloc[303] with variables
Hi, Looking at the source it seems implied there may be a way to set the errorloc or errorloc303 destination string to include variables known to HAProxy, rather than a static string. In much the same way that one could set an HTTP request header using certain variables like so: http-request set-header X-DEBUG-HOST %host I would like to use the %host value in errorloc errorloc303 503 http://example.com/error?host=%host In src/proto_http.c there is a check within http_parse_redirect_rule() for use_fmt that mentions using log-formatted redirect strings, but I don't see any mention of this behavior in the manual or example. Is this expected to work, or is this a feature that's been either abandoned or not yet implemented? Many thanks, -=Mark