Counter issues on 1.8.29

Victor · March 23, 2021, 9:01pm

Hi,

We’re using some restrictions like this:

stick-table type ip size 1m expire 30s store gpc0,conn_cur,conn_rate(3s),http_req_rate(10s),http_err_rate(30s) peers mypeers

# Reject over 50 concurrent connections per ip
tcp-request connection reject if { src_conn_cur ge 50 }
# Reject if more than 30 connections in 3 seconds
tcp-request connection reject if { src_conn_rate ge 30 }
# Reject more than 30 http requests in 10 seconds
tcp-request content reject if { src_http_req_rate ge 30 }
# Reject if more than 10 http errors in 30 seconds
tcp-request content reject if { src_http_err_rate ge 10 }

While they’re not terribly nice, they used to work as expected. After upgrading to 1.8.29 we do get connection reset at normal browsing, a few requests from a browser, definitely none of the above limits being hit. There are two proxies in peering.

Downgraded back to 1.8.28 restored the expected behaviour. There was no configuration change.

Thanks,
Victor

lukastribus · March 23, 2021, 10:37pm

Yes, this is a known a new regression in the latest bugfix releases, patches have been posted and committed to 2.2 tree, other backports will follow:

https://www.mail-archive.com/haproxy@formilux.org/msg40020.html

lukastribus · March 24, 2021, 10:01pm

All supported stable branches now have the fix.

You can git clone from the 1.8 branch, or get get the backported patches here manually:
http://git.haproxy.org/?p=haproxy-1.8.git;a=patch;h=bfba403a925c954daf6f43a3239429044681316b
http://git.haproxy.org/?p=haproxy-1.8.git;a=patch;h=491b86ed0acdb4f3a1673f9357240176da930548

(both are necessary). Tomorrows 1.8 snapshot haproxy-ss-20210325.tar.gz will also contain those fixes.

I’ve also filed a tracking issue at github:

Victor · March 25, 2021, 12:48pm

Thanks Lukas, 1.8.29 plus the two patches is working fine.

joel-l · March 26, 2021, 10:50am

Do you happen to have an estimate as to when the fixes might be available as a new release for the 2.2 version (as 2.2.12)?

Asking because I’m using prebuilt packages and can’t easily patch anything manually.

lukastribus · March 26, 2021, 11:50am

https://www.mail-archive.com/haproxy@formilux.org/msg40050.html

2.2.12: probably early next week to still give some time for last issues
to be reported.

An alternative is 2.3.8, although that is not a LTS branch.

Topic		Replies	Views
Response time spikes when connections increase Help!	1	421	January 15, 2021
Limiting Http request rate Help!	0	314	May 26, 2020
Rate-limit connections per ip for smtp frontend Help!	3	1424	June 18, 2017
Rate limit based on the number of success request Help!	6	384	November 1, 2023
Actions on server reject Help!	2	293	April 16, 2021

Counter issues on 1.8.29

Related Topics