I have some questions about my haproxy config.Please help me and check my sticky bit rules , thanks for attention!
- should “sc_http_req_rate(4)” match “track-sc4” ? Both should have 4 ?
- should “sc_gpc0_rate(0)” and “sc-set-gpt0(0)” and sc_get_gpt0(0) match “track-sc0” ? Should both ends be 0 ?
- should “sc_http_req_rate(2)” match “track-sc2” ? Both end should be 2 ?
Here is part of my haproxy config
backend per_ip_rates #sticky tables detecs src ip in
stick-table type ip size 1m expire 15m store http_req_rate(10s)
backend per_ip_rates2
stick-table type ip size 1m expire 2h store gpc0,gpc0_rate(10s),gpt0
backend per_ip_rates3
stick-table type ip size 1m expire 24h store gpc1,gpc1_rate(30s),gpt(2),http_err_rate(5m)
backend per_ip_and_url_bruteforce #for level 3 section protection
stick-table type binary len 8 size 1m expire 10m store http_req_rate(3m)
frontend test
bind *:80
mode http
http-request track-sc4 src table per_ip_rates #for all type requests
http-request deny deny_status 429 if { sc_http_req_rate(4) gt 300 }
http-request track-sc4 src table per_ip_rates if METH_POST # For only POST type
http-request deny deny_status 429 if { sc_http_req_rate(4) gt 300 }
#______________________________________________________________________
http-request track-sc0 src table per_ip_rates2 # track client's source IP in per_ip_rates stick table
http-request track-sc1 url32+src table per_ip_and_url_rates unless { path_end .css .js .png .jpeg .gif }
acl exceeds_limit sc_gpc0_rate(0) gt 30
http-request sc-set-gpt0(0) 1 if exceeds_limit
http-request deny if { sc_get_gpt0(0) eq 1 }
#______________________________________________________________________
http-request track-sc2 base32+src table per_ip_and_url_bruteforce if METH_POST { path /login /auth /autentificate /api } #Detect too many POST requests login pages
http-request deny if { sc_http_req_rate(2) gt 30 }