Can Haproxy deny a request by IP if its stick-table is full?

Posted by bantic on Server Fault See other posts from Server Fault or by bantic
Published on 2011-03-10T21:23:50Z Indexed on 2011/03/15 8:12 UTC
Read the original article Hit count: 224

In my haproxy configs I'm setting a stick-table of size 5 that stores every incoming IP address (for 1 minute), and it is set as nopurge so new entries won't get stored in the table. What I'd like to have happen is that they would get denied, but that isn't happening.

The stick-table line is:

stick-table type ip size 5 expire 1m nopurge store gpc0

And the whole configs are:

global
        maxconn 30000
        ulimit-n 65536
        log     127.0.0.1 local0
        log     127.0.0.1 local1 debug
        stats socket /var/run/haproxy.stat mode 600 level operator

defaults
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms

backend fragile_backend
        tcp-request content  track-sc2 src
        stick-table type ip size 5 expire 1m nopurge store gpc0
        server fragile_backend1 A.B.C.D:80

frontend http_proxy
        bind *:80
        mode http
        option forwardfor
        default_backend fragile_backend

I have confirmed (connecting to haproxy's stats using socat readline /var/run/haproxy.stat) that the stick-table fills up with 5 IP addresses, but then every request after that from a new IP just goes straight through -- it isn't added to the stick-table, nothing is removed from the stick-table, and the request is not denied.

What I'd like to do is deny the request if the stick-table is full. Is this possible?

I'm using haproxy 1.5.

© Server Fault or respective owner

Related posts about reverse-proxy

Related posts about haproxy