Can Haproxy deny a request by IP if its stick-table is full?

Posted by bantic on Server Fault See other posts from Server Fault or by bantic
Published on 2011-03-10T21:23:50Z Indexed on 2011/03/15 8:12 UTC
Read the original article Hit count: 219

Filed under:

reverse-proxy

|

haproxy

|

rate-limiting

In my haproxy configs I'm setting a stick-table of size 5 that stores every incoming IP address (for 1 minute), and it is set as nopurge so new entries won't get stored in the table. What I'd like to have happen is that they would get denied, but that isn't happening.

The stick-table line is:

stick-table type ip size 5 expire 1m nopurge store gpc0

And the whole configs are:

global
        maxconn 30000
        ulimit-n 65536
        log     127.0.0.1 local0
        log     127.0.0.1 local1 debug
        stats socket /var/run/haproxy.stat mode 600 level operator

defaults
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms

backend fragile_backend
        tcp-request content  track-sc2 src
        stick-table type ip size 5 expire 1m nopurge store gpc0
        server fragile_backend1 A.B.C.D:80

frontend http_proxy
        bind *:80
        mode http
        option forwardfor
        default_backend fragile_backend

I have confirmed (connecting to haproxy's stats using socat readline /var/run/haproxy.stat) that the stick-table fills up with 5 IP addresses, but then every request after that from a new IP just goes straight through -- it isn't added to the stick-table, nothing is removed from the stick-table, and the request is not denied.

What I'd like to do is deny the request if the stick-table is full. Is this possible?

I'm using haproxy 1.5.

© Server Fault or respective owner

Related posts about reverse-proxy

Reverse Proxy FTP traffic

as seen on Server Fault - Search for 'Server Fault'
I was wondering if anyone knew of a reverse proxy server to reverse proxy ftp traffic. I would like to run many servers on ip address, but then pass the traffic to an internal server with its own ip address. Thank you for any suggestions. >>> More
Determine nginx reverse-proxy load limits

as seen on Server Fault - Search for 'Server Fault'
Hi all: I have an nginx server (CentOS 5.3, linux) that I'm using as a reverse-proxy load-balancer in front of 8 ruby on rails application servers. As our load on these servers increases, I'm beginning to wonder at what point will the nginx server become a bottleneck? The CPUs are hardly used,… >>> More
Running a reverse proxy in front of Splunk 4.x

as seen on Server Fault - Search for 'Server Fault'
So, I have previously installed Splunk 3.x behind a reverse proxy and downloaded the latest version (4.0.6 at time of typing) expecting it to be as easy to use as before. Sadly this was not the case. There appears to be some elements which are not being translated correctly through the reverse proxy… >>> More
IIS reverse proxy to windows authenticated internal site

as seen on Server Fault - Search for 'Server Fault'
I have an internal windows authenticated website that I need to expose anonymously to external users. extern: http://foo.com/ (public) intern: http://privatefoo/ (requires windows auth) I want people hitting foo.com to see no security prompt, just get access to privatefoo - I know this is possible… >>> More
Creating a Reverse Proxy using Jpcap

as seen on Stack Overflow - Search for 'Stack Overflow'
I need to create a program that receives HTTP request and forwards those requests to the web servers. I have successfully made this using only Java Sockets but the client needed the program to be implemented in Jpcap. I'd like to know if this is possible and what literature I should be reading… >>> More

Related posts about haproxy

HA Proxy Stick-table and tcp-connection configuration

as seen on Server Fault - Search for 'Server Fault'
I am using HA Proxy HA-Proxy version 1.4.18 2011/09/16 I am trying to insert the following into /etc/init.d/haproxy.cfg file # Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter # Monitors the number of request sent by an IP over a period of 10 seconds stick-table type ip size 1m… >>> More
Rotate haproxy logs

as seen on Server Fault - Search for 'Server Fault'
I tried few things but still not able to rotate haproxy logs efficiently. I need to rotate logs when log files crosses 500 MB size. Considering haproxy is serving large no. of static tcp connections, I can not restart haproxy process though a reload is doable. Daily haproxy log file size normally… >>> More
could not bind socket while haproxy restart

as seen on Server Fault - Search for 'Server Fault'
I m restarting HAproxy by following command haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) but i get following message [ALERT] 183/225022 (9278) : Starting proxy appli1-rewrite: cannot bind socket [ALERT] 183/225022 (9278) : Starting proxy appli2-insert:… >>> More
Restarting Haproxy Gracefully

as seen on Server Fault - Search for 'Server Fault'
As per various blogs, HAproxy can be gracefully restarted using the following command: sudo haproxy -f /etc/haproxy/haproxy.cfg -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid) TO verify this, I had set up a apache bench script which contiguously sent message to haproxy. Ideally, whenever… >>> More
HAProxy: Display a "BADREQ" | BADREQ's by the thousands

as seen on Server Fault - Search for 'Server Fault'
My HAProxy Configuration. #HA-Proxy version 1.3.22 2009/10/14 Copyright 2000-2009 Willy Tarreau <[email protected]> global maxconn 10000 spread-checks 50 user haproxy group haproxy daemon stats socket /tmp/haproxy log localhost local0 log localhost local1 notice defaults … >>> More