Home / server / Questions / 245920
Accepted
bantic
Asked: 2011-03-11 13:23:50 +0800 CST

Can Haproxy deny a request by IP if its stick-table is full?

  • 772

In my haproxy configs I'm setting a stick-table of size 5 that stores every incoming IP address (for 1 minute), and it is set as nopurge so new entries won't get stored in the table. What I'd like to have happen is that they would get denied, but that isn't happening.

The stick-table line is:

stick-table type ip size 5 expire 1m nopurge store gpc0

And the whole configs are:

global
        maxconn 30000
        ulimit-n 65536
        log     127.0.0.1 local0
        log     127.0.0.1 local1 debug
        stats socket /var/run/haproxy.stat mode 600 level operator

defaults
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms

backend fragile_backend
        tcp-request content  track-sc2 src
        stick-table type ip size 5 expire 1m nopurge store gpc0
        server fragile_backend1 A.B.C.D:80

frontend http_proxy
        bind *:80
        mode http
        option forwardfor
        default_backend fragile_backend

I have confirmed (connecting to haproxy's stats using socat readline /var/run/haproxy.stat) that the stick-table fills up with 5 IP addresses, but then every request after that from a new IP just goes straight through -- it isn't added to the stick-table, nothing is removed from the stick-table, and the request is not denied.

What I'd like to do is deny the request if the stick-table is full. Is this possible?

I'm using haproxy 1.5.

rate-limiting reverse-proxy haproxy

2 Answers

  1. Best Answer

    As I have said on another thread, this requires addition of a very simple ACL to report the number of entries used in a table. It's at most 10 lines of code including function declaration I think, but we need to add it. I don't have the time right now, so I'm adding that to the TODO list and will accept a contrib if someone finds the time to do it.

    • 2

  2. This sounds like it it isn't the behavior that should happen from the way the documentation is worded. But maybe you can increment the GPC for each IP in the table and deny if it is zero?:

    src_get_gpc0(table) <integer>
  Returns the value of the first General Purpose Counter associated to the
  connection's source IPv4 address in the current proxy's stick-table or in
  the designated stick-table. If the address is not found, zero is returned.
  See also sc1/sc2_get_gpc0 and src_inc_gpc0.

    That being said your backend is called "fragile_backend". If you are trying to limit the number of connections to a server, because the server can only handle so many connections at a time you might want want to use the maxconn parameter in your server definition. Using this, HAPRoxy will queue the connections beyond that amount. You might also be interested in:

    be_conn <integer>
be_conn(backend) <integer>
  Applies to the number of currently established connections on the backend,
  possibly including the connection being evaluated. If no backend name is
  specified, the current one is used. But it is also possible to check another
  backend. It can be used to use a specific farm when the nominal one is full.
  See also the "fe_conn", "queue" and "be_sess_rate" criteria.
    • 0