HAProxy rate limiting - ban abuser for 30 minutes

Question

I have the following config, that works OK for rate limiting connections. If an abuser is authenticated and he also accesses the defined regex location more than 30 times per minute, rate limiting is initiated and he is forwarded to the rate_limiting backend where he receives an error message:

frontend http_in

bind xx.xx.xx.xx:80
mode http
default_backend backend_nodes
tcp-request inspect-delay 5s
acl location_request path_reg ^/(.*)/(.*)/
acl too_many_requests sc0_gpc0_rate(context) ge 30
acl mark_seen sc0_inc_gpc0 gt 0
stick-table type string size 100k store gpc0_rate(60s)
tcp-request content track-sc0 cookie(authValidation) if location_request
use_backend rate_limiting if mark_seen too_many_requests


backend backend_nodes

mode    http
balance roundrobin
option  http-server-close
server  srv1 192.168.0.1:80 weight 5
server  srv2 192.168.0.2:80 weight 5

backend rate_limiting

mode http
timeout tarpit 2s
errorfile 500 /etc/haproxy/errorfiles/429.http
http-request tarpit

This configuration ensures that the abuser can't make more than 30 requests per minute, however, it does not block him completely for more than a minute. Now, what I'd like to achieve next is completely blocking the abuser for 1 hour after he gets rate-limited, but as far as I my research showed me, I don't even know if this additional step is even possible.

score 5 · Accepted Answer · answered Jun 04 '17 at 16:18

Andy, The trick is to add another backend that you only use for the extra stick table. You can only have one stick table per backend - BUT you can use them in ANY front/back end... So I just add one called Abuse that you can then use as a global 60 minute ban for any backend... You will need to change my example but try something like this:

# ABUSE SECTION works with http mode dependent on src ip
tcp-request content reject if { src_get_gpc0(Abuse) gt 0 }
acl abuse src_http_req_rate(Abuse) ge 10
acl flag_abuser src_inc_gpc0(Abuse) ge 0
acl scanner src_http_err_rate(Abuse) ge 10

# Returns a 403 to the abuser and flags for tcp-reject next time
http-request deny if abuse flag_abuser
http-request deny if scanner flag_abuser

backend Abuse
stick-table type ip size 1m expire 60m store conn_rate(3s),conn_cur,gpc0,http_req_rate(10s),http_err_rate(20s)

Indeed, I did something similar a year ago, so this is a good solution :) — Tony, Jul 03 '17 at 09:01

HAProxy rate limiting - ban abuser for 30 minutes

1 Answers1