Re: tcp-request content track-sc2 with if statement doesn't work?

2014-09-07 Thread Baptiste
On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote:
 Hi list,

 Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to
 use this same kind of method in a frontend/backend configuration.
 I did change the method from POST to GET, for easier testing, but that
 doesn't matter for retrieving the gpc counter, does it?

 So i was trying to use this:
 tcp-request content track-sc1  base32+src  if METH_GET login

 It however doesn't seem to work using HAProxy 1.5.3, the acl containing
 sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even though i
 have examined the stick-table and the gpc0 value there is increasing.
 If i change it to the following it starts working:
 tcp-request content track-sc1  base32+src

 Even though the use_backend in both cases checks those first criteria:
 acl flagged_as_abusersc1_get_gpc0 gt 0
 use_backendpb3_453_http if METH_GET wp_login flagged_as_abuser

 Am i doing something wrong, is the blog outdated, or was a bug introduced
 somewhere?

 If more information perhaps -vv or full config is needed let me know,
 thanks for any reply.

 p.s. did anyone get my other emails a while back? [1]

 Kind regards,
 PiBa-NL

 [0]
 http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/
 [1] http://marc.info/?l=haproxym=140821298806125w=2



Hi,

Plese let us know if you have  the following configuration lines (or
equivalent), before your tracking rule:
  tcp-request inspect-delay 10s
  tcp-request accept if HTTP

Baptiste



Re: tcp-request content track-sc2 with if statement doesn't work?

2014-09-07 Thread PiBa-NL

Hi Baptiste,

Thanks that fixes my issue indeed with the following:
  tcp-request inspect-delay 10s
  tcp-request content track-sc1  base32+src  if METH_GET wp_login
  tcp-request content accept if HTTP

I didn't think about inspect-delay because both frontend and backend are 
using 'mode http', and i only used to use inspect-delay with frontends 
using tcp mode. Though maybe the 'tcp-request' should have given my that 
hint. The 'accept' must be below the 'track-sc1' to make it work.


Could you perhaps also add this to the blog article, or should i post a 
comment under it for other people to not fall into the same mistake?


Thanks,
PiBa-NL

Baptiste schreef op 7-9-2014 11:38:

On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote:

Hi list,

Inspired by a blog about wordpress bruteforce protection [0] , i'm trying to
use this same kind of method in a frontend/backend configuration.
I did change the method from POST to GET, for easier testing, but that
doesn't matter for retrieving the gpc counter, does it?

So i was trying to use this:
tcp-request content track-sc1  base32+src  if METH_GET login

It however doesn't seem to work using HAProxy 1.5.3, the acl containing
sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even though i
have examined the stick-table and the gpc0 value there is increasing.
If i change it to the following it starts working:
tcp-request content track-sc1  base32+src

Even though the use_backend in both cases checks those first criteria:
acl flagged_as_abusersc1_get_gpc0 gt 0
use_backendpb3_453_http if METH_GET wp_login flagged_as_abuser

Am i doing something wrong, is the blog outdated, or was a bug introduced
somewhere?

If more information perhaps -vv or full config is needed let me know,
thanks for any reply.

p.s. did anyone get my other emails a while back? [1]

Kind regards,
PiBa-NL

[0]
http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/
[1] http://marc.info/?l=haproxym=140821298806125w=2



Hi,

Plese let us know if you have  the following configuration lines (or
equivalent), before your tracking rule:
   tcp-request inspect-delay 10s
   tcp-request accept if HTTP

Baptiste





Re: tcp-request content track-sc2 with if statement doesn't work?

2014-09-07 Thread Baptiste
On Sun, Sep 7, 2014 at 2:55 PM, PiBa-NL piba.nl@gmail.com wrote:
 Hi Baptiste,

 Thanks that fixes my issue indeed with the following:
   tcp-request inspect-delay 10s
   tcp-request content track-sc1  base32+src  if METH_GET wp_login
   tcp-request content accept if HTTP

 I didn't think about inspect-delay because both frontend and backend are
 using 'mode http', and i only used to use inspect-delay with frontends using
 tcp mode. Though maybe the 'tcp-request' should have given my that hint. The
 'accept' must be below the 'track-sc1' to make it work.

 Could you perhaps also add this to the blog article, or should i post a
 comment under it for other people to not fall into the same mistake?

 Thanks,
 PiBa-NL

 Baptiste schreef op 7-9-2014 11:38:

 On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote:

 Hi list,

 Inspired by a blog about wordpress bruteforce protection [0] , i'm trying
 to
 use this same kind of method in a frontend/backend configuration.
 I did change the method from POST to GET, for easier testing, but that
 doesn't matter for retrieving the gpc counter, does it?

 So i was trying to use this:
 tcp-request content track-sc1  base32+src  if METH_GET login

 It however doesn't seem to work using HAProxy 1.5.3, the acl containing
 sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even
 though i
 have examined the stick-table and the gpc0 value there is increasing.
 If i change it to the following it starts working:
 tcp-request content track-sc1  base32+src

 Even though the use_backend in both cases checks those first criteria:
 acl flagged_as_abusersc1_get_gpc0 gt 0
 use_backendpb3_453_http if METH_GET wp_login
 flagged_as_abuser

 Am i doing something wrong, is the blog outdated, or was a bug introduced
 somewhere?

 If more information perhaps -vv or full config is needed let me know,
 thanks for any reply.

 p.s. did anyone get my other emails a while back? [1]

 Kind regards,
 PiBa-NL

 [0]

 http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/
 [1] http://marc.info/?l=haproxym=140821298806125w=2


 Hi,

 Plese let us know if you have  the following configuration lines (or
 equivalent), before your tracking rule:
tcp-request inspect-delay 10s
tcp-request accept if HTTP

 Baptiste



Hi,

Article updated.

Baptiste



Re: tcp-request content track-sc2 with if statement doesn't work?

2014-09-07 Thread PiBa-NL

Baptiste schreef op 7-9-2014 17:13:

On Sun, Sep 7, 2014 at 2:55 PM, PiBa-NL piba.nl@gmail.com wrote:

Hi Baptiste,

Thanks that fixes my issue indeed with the following:
   tcp-request inspect-delay 10s
   tcp-request content track-sc1  base32+src  if METH_GET wp_login
   tcp-request content accept if HTTP

I didn't think about inspect-delay because both frontend and backend are
using 'mode http', and i only used to use inspect-delay with frontends using
tcp mode. Though maybe the 'tcp-request' should have given my that hint. The
'accept' must be below the 'track-sc1' to make it work.

Could you perhaps also add this to the blog article, or should i post a
comment under it for other people to not fall into the same mistake?

Thanks,
PiBa-NL

Baptiste schreef op 7-9-2014 11:38:


On Sat, Sep 6, 2014 at 9:16 PM, PiBa-NL piba.nl@gmail.com wrote:

Hi list,

Inspired by a blog about wordpress bruteforce protection [0] , i'm trying
to
use this same kind of method in a frontend/backend configuration.
I did change the method from POST to GET, for easier testing, but that
doesn't matter for retrieving the gpc counter, does it?

So i was trying to use this:
tcp-request content track-sc1  base32+src  if METH_GET login

It however doesn't seem to work using HAProxy 1.5.3, the acl containing
sc1_get_gpc0 gt 0 never seems to get the correct gpc0 value, even
though i
have examined the stick-table and the gpc0 value there is increasing.
If i change it to the following it starts working:
tcp-request content track-sc1  base32+src

Even though the use_backend in both cases checks those first criteria:
acl flagged_as_abusersc1_get_gpc0 gt 0
use_backendpb3_453_http if METH_GET wp_login
flagged_as_abuser

Am i doing something wrong, is the blog outdated, or was a bug introduced
somewhere?

If more information perhaps -vv or full config is needed let me know,
thanks for any reply.

p.s. did anyone get my other emails a while back? [1]

Kind regards,
PiBa-NL

[0]

http://blog.haproxy.com/2013/04/26/wordpress-cms-brute-force-protection-with-haproxy/
[1] http://marc.info/?l=haproxym=140821298806125w=2


Hi,

Plese let us know if you have  the following configuration lines (or
equivalent), before your tracking rule:
tcp-request inspect-delay 10s
tcp-request accept if HTTP

Baptiste



Hi,

Article updated.

Baptiste

Hi Baptiste,

Thanks, however there are now 2 issues with that.
- The 'accept' must be below the 'track-sc1' to make it work. (at least 
in my tests..)
- Syntax error missing 'content' keyword in: tcp-request content accept 
if HTTP


In the backend i didn't seem to need the inspect-delay, probably because 
the frontend has already filled buffers because it is in 'http' mode.


Thanks,
PiBa-NL