HAProxy rate limiting - ban abuser for 30 minutes
Andy, The trick is to add another backend that you only use for the extra stick table. You can only have one stick table per backend - BUT you can use them in ANY front/back end... So I just add one called Abuse that you can then use as a global 60 minute ban for any backend... You will need to change my example but try something like this:
# ABUSE SECTION works with http mode dependent on src ip
tcp-request content reject if { src_get_gpc0(Abuse) gt 0 }
acl abuse src_http_req_rate(Abuse) ge 10
acl flag_abuser src_inc_gpc0(Abuse) ge 0
acl scanner src_http_err_rate(Abuse) ge 10
# Returns a 403 to the abuser and flags for tcp-reject next time
http-request deny if abuse flag_abuser
http-request deny if scanner flag_abuser
backend Abuse
stick-table type ip size 1m expire 60m store conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)
Related videos on Youtube
Tony
Updated on September 18, 2022Comments
-
Tony almost 2 years
I have the following config, that works OK for rate limiting connections. If an abuser is authenticated and he also accesses the defined regex location more than 30 times per minute, rate limiting is initiated and he is forwarded to the rate_limiting backend where he receives an error message:
frontend http_in bind xx.xx.xx.xx:80 mode http default_backend backend_nodes tcp-request inspect-delay 5s acl location_request path_reg ^/(.*)/(.*)/ acl too_many_requests sc0_gpc0_rate(context) ge 30 acl mark_seen sc0_inc_gpc0 gt 0 stick-table type string size 100k store gpc0_rate(60s) tcp-request content track-sc0 cookie(authValidation) if location_request use_backend rate_limiting if mark_seen too_many_requests backend backend_nodes mode http balance roundrobin option http-server-close server srv1 192.168.0.1:80 weight 5 server srv2 192.168.0.2:80 weight 5 backend rate_limiting mode http timeout tarpit 2s errorfile 500 /etc/haproxy/errorfiles/429.http http-request tarpit
This configuration ensures that the abuser can't make more than 30 requests per minute, however, it does not block him completely for more than a minute. Now, what I'd like to achieve next is completely blocking the abuser for 1 hour after he gets rate-limited, but as far as I my research showed me, I don't even know if this additional step is even possible.
-
Tony almost 7 yearsIndeed, I did something similar a year ago, so this is a good solution :)