My goal is to temporarily block an IP if someone tries to access certain paths. The idea is to use a stick table with gpc0, and when a forbidden path is accessed, gpc0 is increased by 1. That’s then used as an indicator for later attempts that the IP is banned.
Here’s my config for the frontend:
frontend nameoffrontend
# ban for 20 minutes
stick-table type ip size 100k expire 20m store gpc0
# flag client as either getting blocked or already being blocked
acl getblocked path -m reg -i regex-for-some-forbidden-path
acl isblocked sc_get_gpc0(0,nameoffrontend) gt 0
http-request track-sc0 src
# increase gpc0 if getting blocked
http-response sc-inc-gpc0(0) if getblocked
# in either case, silently drop the connection
http-request silent-drop if getblocked or isblocked
The silently dropping works fine when accessing a forbidden path, but gpc0 never gets increased and the ban never happens. The client can immediately continue accessing other things on the server. If I change the last line to
http-request deny if getblocked or isblocked
it works as expected. A forbidden path leads to a 403, gpc0 gets increased, and subsequent attemts at any valid path also leads to a 403. I just want to change that 403 to silence.