Hi,
Thanks for your reply.
What is the 'signature' that is unique in the logs for this kind of block?
I have HTTP logs enabled; for the "Session state at disconnection" part of
the log would I be looking for a first letter of P or R for clients blocked
by these filters? (and it it possible to distinguish clients blocked
because of these ACLs compared to other reasons for a "P" or "R"?
I am using a command like this:
[root@frontend2 ~]# tail -f /var/log/haproxy.log | awk -F' ' '{ if ($15 ~
/^P/) print $0 }'
Nov 10 16:17:26 localhost haproxy[11102]:
64.41.0.39:4192[10/Nov/2011:16:17:26.788] main webservers/
-1/-1/-1/-1/15 -1 0 - -
PRNN 7694/7694/119/0/30 0/0 "GET /images/face_05.gif HTTP/1.1"
But in this particular case the problem is (from my reading) that the
client failed to send a complete request, not a ACL.
As for a sticky table to store the PHPSESSID and block, am I along the
right track with a config like this?:
backend x
stick-table type string size 500k
stick store-request cookie(PHPSESSID) table cookie_sc2_conn_rate
acl cookie_conn_rate_abuse cookie_sc2_conn_rate gt 300
acl mark_as_abuser sc1_inc_gpc0 gt 0
tcp-request content reject if cookie_conn_rate_abuse mark_as_abuser
Many thanks,
Alex
On Thu, Nov 10, 2011 at 12:56 PM, Baptiste wrote:
> On Thu, Nov 10, 2011 at 12:48 PM, Alex Davies wrote:
> > Hi,
> > I am interested in rate limiting connections from users to stop small DOS
> > 'attacks' from individual users.
> > I see the excellent post at http://blog.serverfault.com/post/1016491873/
> and
> > have followed this in a test enviroment.
> > I have the following questions:
> > * What is the best way to monitor the # of connections that are being
> > rejected as a result of this from the log? The socat example in that post
> > seems - to me - to show the number of IPs in the relevant tables as
> opposed
> > to the number of connections that are being rejected. Is it possible
> also to
> > know which 'reject' the request is blocked by (from the example post
> there
> > are 2)
> > * Is it possible to 'hash' on a specific cookie value (i'm thinking
> > PHPSESSID) as well as IP, i.e. if connections for any given PHPSESSID
> value
> > reaches x per minute block?
> > Many thanks,
> > Alex
> > --
> > Alex Davies
> >
>
> Hin,
>
> You can know the numbre of rejected request through the logs.
>
> You can use a str stick table and store the PHPSESSID in it.
>
> And you can capture the cookie value in the logs as well to know how
> many request have been rejected.
>
> cheers
>
--
Alex Davies
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately by e-mail and delete this e-mail permanently.