Ask a question about haproxy gpc0 configuration

haproxy question523×672 37.4 KB

I am building with 2layer as shown in the picture.
main haproxy is responsible for ssh decode and main server, and sub haproxy manages acl.

Sub haproxy has sticky table information and acl access limit.
When you check the information in the “show table”, you are connected.

# table: pcweb-limit-back, type: ip, size:268435456, used:2
0x1dcc20c: key=10.11.12.123 use=0 exp=26377 gpc0=0
0x1dcc67c: key=10.11.12.124 use=0 exp=25909 gpc0=1

Only main haproxy ip (10.11.12.124) will increase gpc0 count only.
client ip (10.11.12.123) does not increase gpc0 count.

How can I increase the gpc0 count of the client ip (10.11.12.123)?

Or if you have a setting to restrict server inflows in other ways, please guide.

Thank you in advance

Main HAproxy config

###
#
# Global Setting
#
###
global
    log 127.0.0.1   local2

    uid 99
    gid 99
    daemon

###
#
# Peers Setting
#
###
peers peerlist
    peer main-hpx 10.11.12.124:11000

###
#
# Default Setting
#
###
defaults
    log     global
    timeout connect 150s              #all client - server
    timeout client 5m                #all client - vip
    timeout server 5m               #vip server - real server
    mode http


###
#
# Frontend Proxy Setting
#
###


frontend main-haproxy
    bind 10.11.12.124:80
    bind 10.11.12.124:443 ssl crt /etc/haproxy/decode.dec
    maxconn 100000
    bind-process 1

    default_backend sub-haproxy

###
#
# Backend Proxy Setting
#
###

backend sub-haproxy
    mode http
    balance roundrobin
    fullconn 100000
    bind-process 1

    option forwardfor

    # haproxy
    server sub-hpx 10.11.12.125:80 check inter 5s fall 2 port 11001

Sub HAproxy config

global
    log 127.0.0.1   local2

    uid 99
    gid 99
    daemon

    maxconn 160000

peers peerlist
    peer sub-hpx 10.11.12.125:11025

defaults
    log     global
    timeout connect 150s
    timeout client 5m
    timeout server 5m 
    mode http


frontend pcweb-front
    mode http
    bind 10.11.12.125:80
    maxconn 100000

    log-format (%f)\ %ci:%cp\ to\ %s\ %{+Q}r\ %ST

    default_backend pcweb-back
    
    acl is_location url_beg /location/id/1234
    
    use_backend pcweb-limit-back if is_location


backend pcweb-back
    mode http
    balance roundrobin
    fullconn 100000

    option httpchk GET /monitor/l7check
    http-request set-header X-Forwarded-For %[src]

    # fixed server
    server web-server1 10.22.23.123 check inter 5s fall 2 port 80
    server web-server2 10.22.23.124 check inter 5s fall 2 port 80


backend pcweb-limit-back
    balance roundrobin
    fullconn 100000
    mode http

    option httpchk GET /monitor/l7check
    option forwardfor

    # Table definition
    stick-table type ip size 256m expire 1m store gpc0 peers peerlist
    http-request track-sc0 hdr(X-Forwarded-For) table pcweb-limit-back
    
    # Accepting connection condition
    acl under_limit table_cnt lt 10
    http-request allow if under_limit { src_inc_gpc0 ge 1 }
    redirect location http://domiain.com/error.html if !under_limit { src_get_gpc0 eq 0 }

    # fixed server
    server web-server3 10.22.23.125 check inter 5s fall 2 port 80
    server web-server4 10.22.23.126 check inter 5s fall 2 port 80