I am building with 2layer as shown in the picture.
main haproxy is responsible for ssh decode and main server, and sub haproxy manages acl.
Sub haproxy has sticky table information and acl access limit.
When you check the information in the “show table”, you are connected.
# table: pcweb-limit-back, type: ip, size:268435456, used:2
0x1dcc20c: key=10.11.12.123 use=0 exp=26377 gpc0=0
0x1dcc67c: key=10.11.12.124 use=0 exp=25909 gpc0=1
Only main haproxy ip (10.11.12.124) will increase gpc0 count only.
client ip (10.11.12.123) does not increase gpc0 count.
How can I increase the gpc0 count of the client ip (10.11.12.123)?
Or if you have a setting to restrict server inflows in other ways, please guide.
Thank you in advance
Main HAproxy config
###
#
# Global Setting
#
###
global
log 127.0.0.1 local2
uid 99
gid 99
daemon
###
#
# Peers Setting
#
###
peers peerlist
peer main-hpx 10.11.12.124:11000
###
#
# Default Setting
#
###
defaults
log global
timeout connect 150s #all client - server
timeout client 5m #all client - vip
timeout server 5m #vip server - real server
mode http
###
#
# Frontend Proxy Setting
#
###
frontend main-haproxy
bind 10.11.12.124:80
bind 10.11.12.124:443 ssl crt /etc/haproxy/decode.dec
maxconn 100000
bind-process 1
default_backend sub-haproxy
###
#
# Backend Proxy Setting
#
###
backend sub-haproxy
mode http
balance roundrobin
fullconn 100000
bind-process 1
option forwardfor
# haproxy
server sub-hpx 10.11.12.125:80 check inter 5s fall 2 port 11001
Sub HAproxy config
global
log 127.0.0.1 local2
uid 99
gid 99
daemon
maxconn 160000
peers peerlist
peer sub-hpx 10.11.12.125:11025
defaults
log global
timeout connect 150s
timeout client 5m
timeout server 5m
mode http
frontend pcweb-front
mode http
bind 10.11.12.125:80
maxconn 100000
log-format (%f)\ %ci:%cp\ to\ %s\ %{+Q}r\ %ST
default_backend pcweb-back
acl is_location url_beg /location/id/1234
use_backend pcweb-limit-back if is_location
backend pcweb-back
mode http
balance roundrobin
fullconn 100000
option httpchk GET /monitor/l7check
http-request set-header X-Forwarded-For %[src]
# fixed server
server web-server1 10.22.23.123 check inter 5s fall 2 port 80
server web-server2 10.22.23.124 check inter 5s fall 2 port 80
backend pcweb-limit-back
balance roundrobin
fullconn 100000
mode http
option httpchk GET /monitor/l7check
option forwardfor
# Table definition
stick-table type ip size 256m expire 1m store gpc0 peers peerlist
http-request track-sc0 hdr(X-Forwarded-For) table pcweb-limit-back
# Accepting connection condition
acl under_limit table_cnt lt 10
http-request allow if under_limit { src_inc_gpc0 ge 1 }
redirect location http://domiain.com/error.html if !under_limit { src_get_gpc0 eq 0 }
# fixed server
server web-server3 10.22.23.125 check inter 5s fall 2 port 80
server web-server4 10.22.23.126 check inter 5s fall 2 port 80