Home / server / Questions / 969807
In Process
sts
Asked: 2019-06-02 15:14:05 +0800 CST

Can't Increment Stick Table Counter in HAProxy

  • 772
Excerpt from cfg

Backend1
    mode http
    acl is-error res.hdr(status) 403
    http-request track-sc2 src table error-count
    http-response sc-inc-gpc0(2) if is-error

option httpchk
    balance static-rr
    server serverA [serverip-here] check inter 5s downinter 4s maxconn 4000
    server serverB [serverip-here] check inter 5s downinter 4s maxconn 4000
backend error-count
    stick-table type ip size 1m expire 3m store gpc0

RESULT after I force a 403 error on the browser:

# table: error-count, type: ip, size:1048576, used:1
0x562d0383ccc8: key=IPdisplays-here use=0 exp=173781 gpc0=0

I can see the IP is being tracked and expiration is there no problem, but I can't get gpc0 to update in the stick table. It remains 0.

I've tried all kinds of anonymous and other ACLs and table type string. No luck. Google has nothing. Any ideas are appreciated.

Thanks!

haproxy

3 Answers

  1. In HTTP, there is not a standard response header called status, so this ACL will never match:

    acl is-error res.hdr(status) 403

    There is, however, a layer 7 fetch for status:

    status: integer

    Returns an integer containing the HTTP status code in the HTTP response, for example, 302. It is mostly used within ACLs and integer ranges, for example, to remove any Location header if the response is not a 3xx.

    http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-status

    I would suggest that this is what you intended:

    acl is-error status 403

    ...or if you prefer explicit comparison expressions, specify an integer match:

    acl is-error status -m int 403

    The status fetch is available in all versions of HAProxy, back to at least 1.5 and probably earlier.

    • 0

  2. I’m not sure that you can increment a sticky counter in the response that is tracked in the request. There’s a similar http-response track-sc2, but I don’t think they cross over.

    https://www.haproxy.com/documentation/hapee/1-9r1/onepage/#4.2-http-response%20track-sc0

    • 0

  3. I am doing something very similar. I am not sure why mine works and yours doesn't. I am definitely incrementing a counter in the response that is tracked in the request. And I do see gpc0 increment in my setup. One possible difference: my sc manipulations are in the frontend. Also, I am using sc0 rather than sc2. I shouldn't think either of these would matter. I am running 1.8.8. My cfg excerpts:

    In FE: 

    http-request track-sc0 src table Penalty_Box
http-response sc-inc-gpc0(0) if { status 403 } || { status 404 }    
http-request deny if { sc_get_gpc0(0) gt 5 }

    BE stick-table:

    backend Penalty_Box

     stick-table type ip size 2000 expire 10m store http_req_rate(10s),gpc0

    If you have managed to get your config working, I would sure like to know what you had to do.

    • 0