2

In my haproxy configs I'm setting a stick-table of size 5 that stores every incoming IP address (for 1 minute), and it is set as nopurge so new entries won't get stored in the table. What I'd like to have happen is that they would get denied, but that isn't happening.

The stick-table line is:

stick-table type ip size 5 expire 1m nopurge store gpc0

And the whole configs are:

global
        maxconn 30000
        ulimit-n 65536
        log     127.0.0.1 local0
        log     127.0.0.1 local1 debug
        stats socket /var/run/haproxy.stat mode 600 level operator

defaults
        mode http
        timeout connect 5000ms
        timeout client 50000ms
        timeout server 50000ms

backend fragile_backend
        tcp-request content  track-sc2 src
        stick-table type ip size 5 expire 1m nopurge store gpc0
        server fragile_backend1 A.B.C.D:80

frontend http_proxy
        bind *:80
        mode http
        option forwardfor
        default_backend fragile_backend

I have confirmed (connecting to haproxy's stats using socat readline /var/run/haproxy.stat) that the stick-table fills up with 5 IP addresses, but then every request after that from a new IP just goes straight through -- it isn't added to the stick-table, nothing is removed from the stick-table, and the request is not denied.

What I'd like to do is deny the request if the stick-table is full. Is this possible?

I'm using haproxy 1.5.

bantic
  • 1,519
  • 3
  • 14
  • 17

2 Answers2

2

As I have said on another thread, this requires addition of a very simple ACL to report the number of entries used in a table. It's at most 10 lines of code including function declaration I think, but we need to add it. I don't have the time right now, so I'm adding that to the TODO list and will accept a contrib if someone finds the time to do it.

Willy Tarreau
  • 3,896
  • 1
  • 20
  • 12
0

This sounds like it it isn't the behavior that should happen from the way the documentation is worded. But maybe you can increment the GPC for each IP in the table and deny if it is zero?:

src_get_gpc0(table) <integer>
  Returns the value of the first General Purpose Counter associated to the
  connection's source IPv4 address in the current proxy's stick-table or in
  the designated stick-table. If the address is not found, zero is returned.
  See also sc1/sc2_get_gpc0 and src_inc_gpc0.

That being said your backend is called "fragile_backend". If you are trying to limit the number of connections to a server, because the server can only handle so many connections at a time you might want want to use the maxconn parameter in your server definition. Using this, HAPRoxy will queue the connections beyond that amount. You might also be interested in:

be_conn <integer>
be_conn(backend) <integer>
  Applies to the number of currently established connections on the backend,
  possibly including the connection being evaluated. If no backend name is
  specified, the current one is used. But it is also possible to check another
  backend. It can be used to use a specific farm when the nominal one is full.
  See also the "fe_conn", "queue" and "be_sess_rate" criteria.
Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
  • I don't think the gpc0 counter will work because the first time someone comes by, their counter value will always be 0, and I need to let them initially. And as I understand the counter variable is tied to the IP itself...each "row" of the stick-table (one for each IP) has a separate gpc0 counter. What would be helpful is if I have a way to count *all* of the rows in the table...that's what I'd implicitly be doing if I took a different action when the stick-table was full. – bantic Mar 10 '11 at 22:37
  • Oh and thanks for the mention of the maxconn param. I can't use the number of connections to limit this, though, because each client that I have connecting will be making multiple requests. I essentially want to let the first 5 (for example) IPs in and let them make requests. If I limited it to 5 total connections, then if the first IP connected, got data, waited a second, and then tried to connect again for more data, then another stray client might have connected in the meantime taking its "slot" so to speak. I want to track these IPs so I can keep the slot for a given IP open. – bantic Mar 10 '11 at 22:38