I have some simple connection and connection rate limiting in HAProxy:
# Store IPs to limit connection rate
stick-table type ip size 200k expire 5m store gpc0,conn_cur,conn_rate(10s)
tcp-request connection track-sc0 src
# Abusers are immediately rejected
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
# Test connection count and rate
acl connabuse sc0_conn_cur gt 20
acl connkill sc0_inc_gpc0 gt 0
tcp-request connection reject if connabuse connkill
acl rateabuse sc0_conn_rate gt 30
acl ratekill sc0_inc_gpc0 gt 0
tcp-request connection reject if rateabuse ratekill
Unfortunately, this has been causing some problems. I'd like to temporarily stop blocking people, but log the time and IP when those limits are hit, so I can play around with the rules and see what works and what doesn't. How can I do this?
Instead of blocking abusers you could add response headers indicating client IP address that broke the rules. Something like this:
where %ci represents Client IP address, you can log any other param mentioned here: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#8.2.4
Than you capture that headers and put them in logs as described in docs: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#capture%20response