Hi,
On Thu, Feb 02, Ricardo Fraile wrote:
> Taking as starting point the following rate limit sticky table, in which
> the requests are tracked by the "X-Client-IP" header and have an acl to
> limit if there are more than 250 in 1 second:
>
> stick-table type ip size 1m expire 1h store gpc0,http_req_rate(1s)
> http-request track-sc0 req.hdr_ip(X-Client-IP,1)
>
> acl rule_average sc0_http_req_rate gt 250
>
> http-request deny if rule_average
>
> With this configuration, a user is blocked if have more than 250 request
> in a second. For example, at the same time, 192.168.1.1 can have 250
> requests and 192.168.1.2 an other 250 requests.
>
> But is it possible to apply this limit behaviour taking into account the
> subnet?, for example, if the load balancer receive more than 250 request
> from the 192.168.1.0/24, limit each particular IP, for example, at the
> same time, 192.168.1.1 can have 100 and 192.168.1.2 the other 150, but
> not more than 250 together.
ipmask
(https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.1-ipmask)
might work.
So something like:
http-request track-sc0 req.hdr_ip(X-Client-IP,1),ipmask(24)
-Jarno
--
Jarno Huuskonen
