I sniffed the traffic on haproxy and the requests looks fine:
GET /php-sleep.php?43 HTTP/1.1
User-Agent: curl/7.35.0
Host: kms.example.org
Accept: */*
X-Forwarded-For: 123.149.124.91
HTTP/1.1 200 OK
Server: Apache
Content-Type: text/html; charset=UTF-8
Content-Length: 34
Accept-Ranges: bytes
Hi Baptiste,
Thank you very much for your help.
Unfortunately it didn't work.. I tried this:
frontend kms-ds-nocache
bind x.x.x.x:80
mode http
balance roundrobin
default_backend kms-ds-backend
option httplog
option accept-invalid-http-request
stick-table type ip size 100k
Hi Klavs,
Please give a try to the configuration below:
frontend nocache
mode http
..
option httplog
option accept-invalid-http-request
stick-table type ip size 100k expire 30s store conn_cur
tcp-request inspect-delay 5s
tcp-request content accept if HTTP
tcp-request content
Back from easter vacation :)
Baptiste wrote on 03/25/2015 10:30 AM:
Hi,
some useful examples can be taken from this blog post:
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
Just replace src by hdr(X-Forwarded-For).
Tried:
frontend nocache
Hi,
some useful examples can be taken from this blog post:
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
Just replace src by hdr(X-Forwarded-For).
Baptiste
On Tue, Mar 24, 2015 at 5:58 PM, Jarno Huuskonen jarno.huusko...@uef.fi wrote:
Hi,
Can I perhaps do something like:
tcp-request content track-sc2 hdr(X-Forwarded-For)
acl conn_limit_hit sc2_conn_cur gt 2
?
Klavs Klavsen wrote on 03/24/2015 01:11 PM:
Hi,
We would like to limit how many connections a given IP can send to our
backend.
Our setup is like this:
haproxy -
Hi,
On Tue, Mar 24, Klavs Klavsen wrote:
#create a stick-table of 30 IPs for storing active IPs, 5 minute timeout
stick-table type ip size 30 expire 5m store gpc0
#populate the table with the X-Forwarded-For header
stick store-request hdr(X-Forwarded-For)
You've created type ip stick table,
hmm. it says:
: 'stick' ignored because frontend 'nocache' has no backend capability.
it seems it has to be on the backend..
When set on the backend, I get an entry in the list:
# table: kk.dk-ds-backend, type: ip, size:1024, used:1
0x14b25c8: key=10.27.174.10 use=0 exp=296637 server_id=0
I tried
acl allowed sc2_conn_cur lt 2
block unless allowed
it blocked every access :(
Klavs Klavsen wrote on 03/24/2015 01:19 PM:
Can I perhaps do something like:
tcp-request content track-sc2 hdr(X-Forwarded-For)
acl conn_limit_hit sc2_conn_cur gt 2
?
Klavs Klavsen wrote on 03/24/2015
Tried converting it to type: string.. but its always empty :(
# table: nocache, type: string, size:1024, used:0
# table: nocache, type: ip, size:30, used:0
The frontend config is:
mode http
acl allowed sc2_conn_cur lt 2
balance roundrobin
default_backend ds-backend
option httplog
Hi,
We would like to limit how many connections a given IP can send to our
backend.
Our setup is like this:
haproxy - varnish - haproxy - webservers
and we'd like to have the frontend behind varnish (we call it nocache :)
limit concurrent connections any IP can have.. (to 1 or 2 is the
Thanks, I sent request previously to you but I have done it.
Ha.
- Original Message -
From: Klavs Klavsen k...@vsen.dk
To: Mark S. mark.staudin...@nyi.net, haproxy@formilux.org
Sent: Tuesday, March 24, 2015 10:56:03 AM
Subject: Re: limiting conn-curs per-ip using x-forwarded
Thanks, I sent request previously to you but I have done it.
Ha.
- Original Message -
From: Jarno Huuskonen jarno.huusko...@uef.fi
To: Klavs Klavsen k...@vsen.dk
Cc: haproxy@formilux.org
Sent: Tuesday, March 24, 2015 9:23:04 AM
Subject: Re: limiting conn-curs per-ip using x
Thanks, I sent request previously to you but I have done it.
Ha.
- Original Message -
From: Jarno Huuskonen jarno.huusko...@uef.fi
To: Klavs Klavsen k...@vsen.dk
Cc: haproxy@formilux.org
Sent: Tuesday, March 24, 2015 12:58:21 PM
Subject: Re: limiting conn-curs per-ip using x
Mark S. wrote on 03/24/2015 03:36 PM:
Hi Klavs,
Try using this in the backend section for the track-sc2 statement to use
the previous instance of the Forwarded-For header.
I have a version of this working in a similar fashion, but I am using a
stick-table type binary instead of string - it
15 matches
Mail list logo