Can Haproxy deny a request by IP if its stick-table is full?
Posted
by
bantic
on Server Fault
See other posts from Server Fault
or by bantic
Published on 2011-03-10T21:23:50Z
Indexed on
2011/03/15
8:12 UTC
Read the original article
Hit count: 224
In my haproxy configs I'm setting a stick-table of size 5 that stores every incoming IP address (for 1 minute), and it is set as nopurge
so new entries won't get stored in the table. What I'd like to have happen is that they would get denied, but that isn't happening.
The stick-table line is:
stick-table type ip size 5 expire 1m nopurge store gpc0
And the whole configs are:
global
maxconn 30000
ulimit-n 65536
log 127.0.0.1 local0
log 127.0.0.1 local1 debug
stats socket /var/run/haproxy.stat mode 600 level operator
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
backend fragile_backend
tcp-request content track-sc2 src
stick-table type ip size 5 expire 1m nopurge store gpc0
server fragile_backend1 A.B.C.D:80
frontend http_proxy
bind *:80
mode http
option forwardfor
default_backend fragile_backend
I have confirmed (connecting to haproxy's stats using socat readline /var/run/haproxy.stat
) that the stick-table fills up with 5 IP addresses, but then every request after that from a new IP just goes straight through -- it isn't added to the stick-table, nothing is removed from the stick-table, and the request is not denied.
What I'd like to do is deny the request if the stick-table is full. Is this possible?
I'm using haproxy 1.5.
© Server Fault or respective owner