HAProxy rate limiting - ban abuser for 30 minutes

haproxy rate-limiting
7,482

Andy, The trick is to add another backend that you only use for the extra stick table. You can only have one stick table per backend - BUT you can use them in ANY front/back end... So I just add one called Abuse that you can then use as a global 60 minute ban for any backend... You will need to change my example but try something like this:

# ABUSE SECTION works with http mode dependent on src ip
tcp-request content reject if { src_get_gpc0(Abuse) gt 0 }
acl abuse src_http_req_rate(Abuse) ge 10
acl flag_abuser src_inc_gpc0(Abuse) ge 0
acl scanner src_http_err_rate(Abuse) ge 10

# Returns a 403 to the abuser and flags for tcp-reject next time
http-request deny if abuse flag_abuser
http-request deny if scanner flag_abuser

backend Abuse
stick-table type ip size 1m expire 60m store conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)
Share:
7,482

Related videos on Youtube

Tony
Author by

Tony

Updated on September 18, 2022

Comments

  • Tony
    Tony almost 2 years

    I have the following config, that works OK for rate limiting connections. If an abuser is authenticated and he also accesses the defined regex location more than 30 times per minute, rate limiting is initiated and he is forwarded to the rate_limiting backend where he receives an error message:

    frontend http_in

bind xx.xx.xx.xx:80
mode http
default_backend backend_nodes
tcp-request inspect-delay 5s
acl location_request path_reg ^/(.*)/(.*)/
acl too_many_requests sc0_gpc0_rate(context) ge 30
acl mark_seen sc0_inc_gpc0 gt 0
stick-table type string size 100k store gpc0_rate(60s)
tcp-request content track-sc0 cookie(authValidation) if location_request
use_backend rate_limiting if mark_seen too_many_requests


backend backend_nodes

mode    http
balance roundrobin
option  http-server-close
server  srv1 192.168.0.1:80 weight 5
server  srv2 192.168.0.2:80 weight 5

backend rate_limiting

mode http
timeout tarpit 2s
errorfile 500 /etc/haproxy/errorfiles/429.http
http-request tarpit

    This configuration ensures that the abuser can't make more than 30 requests per minute, however, it does not block him completely for more than a minute. Now, what I'd like to achieve next is completely blocking the abuser for 1 hour after he gets rate-limited, but as far as I my research showed me, I don't even know if this additional step is even possible.

  • Tony
    Tony almost 7 years
    Indeed, I did something similar a year ago, so this is a good solution :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Limit maximum requests / second for a specific path on HAProxy
HAProxy stops accepting connections
Is there a way to rate limit connections with HAProxy using multiple thresholds
Blocking IPs in HAProxy
Adding header to response for specific URLs with HAproxy
Haproxy tuning for performance?
Route by using existing cookie
HAProxy CORS OPTIONS header intercept setup
CentOS 6.5 - haproxy fatal error
HAproxy status showing DOWN