rate-limiting - per src per path

[Yuan Long]

Hi,

Is it possible to rate-limit requests per-path-per-src.

Sticky-table can be type IP or type String.
tcp-request can be either connection or content.
I am not an expert and hence the doubt.
There are examples on the web but not explained if both src and path can be
checked for rate-limiting.

Below is a description of the need in raw words ;

15:44:08 ‹Leo› Client might do anything, like open a page, check some
data.. Those actions are fine
15:44:35 ‹Leo› But we have API
15:45:18 ‹Leo› this API url will return latest data like latest price
15:45:47 ‹Leo› or some API will submit an order
15:46:35 ‹Leo› those actions will take many resource. So we have to limit it
15:47:14 ‹Leo› like your can't get latest price more than 10 time each
second
15:47:50 ‹Leo› like you can't submit an order more than 5 time each second
15:48:48 ‹Leo› but we can't limit people open page
15:48:57 ‹Leo› or doing other stuff



Regards,

Long Wu Yuan 龙 武 缘
Sr. Linux Engineer 高级工程师
ChinaNetCloud 云络网络科技(上海)有限公司 | www.ChinaNetCloud.com1238 Xietu Lu, X2 Space
1-601, Shanghai, China | 中国上海市徐汇区斜土路1238号X2空 间1-601室

24x7 Support Hotline: +86-400-618-0024 | Office Tel: +86-(21)-6422-1946
We are hiring! http://careers.chinanetcloud.com  | Customer Portal -
https://customer-portal.service.chinanetcloud.com/

Re: using environment variable in headers

[Pavlos Parissis]

On 06/01/2015 08:42 μμ, Cyril Bonté wrote:
 Hi Pavlos,
 
 Le 06/01/2015 20:17, Pavlos Parissis a écrit :
 Hi,

 According to the docs I can have the following snippet

 http-request add-header Nodename %[env(HOSTNAME)]

 to set the hostname as the value on a header. But, it doesn't work. I
 network trace and Nginx logs show no value.
 
 Please ensure that you exported the environment variable first, to make it
 available to the process.
 

Oh boy, I am an idiot:-(

Thanks a lot Cyril,
Pavlos



signature.asc
Description: OpenPGP digital signature

Send client to a specific backend if header found in previous reply from server

[Sylvain Faivre]

Hello,

This is a followup to my post and Baptiste's answer on 20141120.
Unfortunately, I couldn't get this to work.

I am trying to achieve the following : when a response from the 
application server contains a header named X-test, send the following 
requests from the client IP to another backend. The goal is to send 
clients who abuse the servers to a slower queue.


Here is my current config :

In the frontend:
stick-table type ip size 50k expire 5m store gpc0
tcp-request content track-sc2 src
#use_backend slow if { sc2_get_gpc0 gt 0 }

In the backend:
acl mark_as_CPUusage sc2_inc_gpc0 gt 0
acl unmark_as_CPUusage sc2_clr_gpc0 gt 0
tcp-response content accept if { res.hdr(X-test) -m found } 
mark_as_CPUusage
#tcp-response content accept if ! { res.hdr(X-test) -m found } 
unmark_as_CPUusage



I used capture response header to confirm that the application server 
sends the X-test header for some clients.
By querying the stats through unix socket commands, I get gpc0=0 for 
every client IP, so this doesn't seem to work.


Any idea about what I'm missing ?

Sylvain.

rspitarpit ?

[Jim Freeman]

We're getting some congestion from blind-shooting (or maybe just
stupid-shooting) scrapers who make (mostly bad) requests, with
occasional successes.

We'd like to tarpit unsuccessful responses.

Any experience on how to accomplish that ?

( A rspitarpit directive would be awesome )


Kudos on an awesome tool,
...jfree

Stick table and http headers

[Mathias Bogaert]

Hi,

Does this seem right?

acl HAS_CF_CONNECTING_IP hdr_cnt(CF-Connecting-IP) eq 1
acl HAS_X_FORWARDED_FOR hdr_cnt(x-forwarded-for) eq 1
tcp-request content track-sc0 hdr_ip(CF-Connecting-IP,-1) if HTTP
HAS_CF_CONNECTING_IP
tcp-request content track-sc0 hdr_ip(x-forwarded-for,-1) if HTTP
!HAS_CF_CONNECTING_IP HAS_X_FORWARDED_FOR

So use CF-Connecting-IP if present, X-Forwarded-For else.

Thanks,

Mathias

errorloc[303] with variables

[Mark S.]

Hi,

Looking at the source it seems implied there may be a way to set the 
errorloc or errorloc303 destination string to include variables known to 
HAProxy, rather than a static string.


In much the same way that one could set an HTTP request header using 
certain variables like so:


http-request set-header X-DEBUG-HOST %host

I would like to use the %host value in errorloc

errorloc303 503 http://example.com/error?host=%host

In src/proto_http.c there is a check within http_parse_redirect_rule() 
for use_fmt that mentions using log-formatted redirect strings, but I 
don't see any mention of this behavior in the manual or example.


Is this expected to work, or is this a feature that's been either 
abandoned or not yet implemented?


Many thanks,
-=Mark