0
Excerpt from cfg

Backend1
    mode http
    acl is-error res.hdr(status) 403
    http-request track-sc2 src table error-count
    http-response sc-inc-gpc0(2) if is-error

option httpchk
    balance static-rr
    server serverA [serverip-here] check inter 5s downinter 4s maxconn 4000
    server serverB [serverip-here] check inter 5s downinter 4s maxconn 4000
backend error-count
    stick-table type ip size 1m expire 3m store gpc0

RESULT after I force a 403 error on the browser:

# table: error-count, type: ip, size:1048576, used:1
0x562d0383ccc8: key=IPdisplays-here use=0 exp=173781 gpc0=0

I can see the IP is being tracked and expiration is there no problem, but I can't get gpc0 to update in the stick table. It remains 0.

I've tried all kinds of anonymous and other ACLs and table type string. No luck. Google has nothing. Any ideas are appreciated.

Thanks!

user450409
  • 125
  • 4
  • 16

3 Answers3

0

In HTTP, there is not a standard response header called status, so this ACL will never match:

acl is-error res.hdr(status) 403

There is, however, a layer 7 fetch for status:

status: integer

Returns an integer containing the HTTP status code in the HTTP response, for example, 302. It is mostly used within ACLs and integer ranges, for example, to remove any Location header if the response is not a 3xx.

http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#7.3.6-status

I would suggest that this is what you intended:

acl is-error status 403

...or if you prefer explicit comparison expressions, specify an integer match:

acl is-error status -m int 403

The status fetch is available in all versions of HAProxy, back to at least 1.5 and probably earlier.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
  • Thanks but I had already tried acl is-error status 403 as well but gpc0 never updates for HTTP-Response. – user450409 Jun 03 '19 at 14:24
  • ...All examples on the web related to sc-inc-gpc0 are for HTTP-Request (not Response). So I think it's a bug or not supported. – user450409 Jun 03 '19 at 14:32
  • [`http-response sc-inc-gpc0()`](http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-http-response) is documented as valid, so it seems like it "should" work... but I've never used it. – Michael - sqlbot Jun 03 '19 at 15:40
  • My idea was to use the stick table counter in an ACL so I can get more useful state information from monitor-uri e.g. an ACL for monitor-fail that says if HTTP RESPONSE gpc0 > 5 then fail the monitor, where the counter is count of 502 errors coming from my backend. Really surprised no one is doing this. It would be much much easier than scraping logs for this type of state information. Since nothing shows up in google searches, looks like I'm up a creek :( – user450409 Jun 03 '19 at 17:23
0

I’m not sure that you can increment a sticky counter in the response that is tracked in the request. There’s a similar http-response track-sc2, but I don’t think they cross over.

https://www.haproxy.com/documentation/hapee/1-9r1/onepage/#4.2-http-response%20track-sc0

NickRamirez
  • 165
  • 1
  • 9
0

I am doing something very similar. I am not sure why mine works and yours doesn't. I am definitely incrementing a counter in the response that is tracked in the request. And I do see gpc0 increment in my setup. One possible difference: my sc manipulations are in the frontend. Also, I am using sc0 rather than sc2. I shouldn't think either of these would matter. I am running 1.8.8. My cfg excerpts:

In FE: 

http-request track-sc0 src table Penalty_Box
http-response sc-inc-gpc0(0) if { status 403 } || { status 404 }    
http-request deny if { sc_get_gpc0(0) gt 5 }

BE stick-table:

backend Penalty_Box

 stick-table type ip size 2000 expire 10m store http_req_rate(10s),gpc0

If you have managed to get your config working, I would sure like to know what you had to do.

Dave M
  • 4,514
  • 22
  • 31
  • 30
CharlesRDavis
  • 1