HAProxy community

HAProxy rate limit questions

Hi, We want to achieve key based rate limiting. For example, let’s say if queries per minute is > 300 for 2m for 5 times then use http tarpit. Note we do not want to block the offender first time but if he repeats the same for more than 5 times.

Api keys are coming on http header as api-key

Here is the portion of the conf file what I want to achieve

frontend http_front
    bind *:80
    #Server 01
    acl server01 hdr_dom(api-key) -i kbcf6c5b2d56d51d89b85

   # ACL Functions for rate_limit
    acl tx_is_api hdr_dom(host) -i -m sub \-api
    acl tx_is_api path_reg -i ^(/v4-)?/api/.*$
    acl has_auth_header req.fhdr(api-key) -m found

    # API specific counters
    acl mark_as_api_abuser   sc0_inc_gpc0(be_429_table_api) gt 0
    acl req_rate_api_abuse   sc0_http_req_rate(be_429_table_api) gt 300


    # API table fetches
    http-request track-sc0 table be_429_table_api if has_auth_header tx_is_api

    # set API call var
    http-request set-var(txn.req_api) bool(true) if tx_is_api

    use_backend be_429_slow_down if tx_is_api mark_as_api_abuser req_rate_api_abuse

backend be_429_table_api
    stick-table type string size 200k expire 2m store gpc0, http_req_rate(60s)

backend be_429_slow_down
  timeout tarpit 5s
  http-request tarpit

What I don’t understand how to achieve that 5 times window ? Should it be acl mark_as_api_abuser sc0_inc_gpc0(be_429_table_api) gt 5 ? Or should I use another counter separately like this?

acl mark_as_api_abuser   sc0_inc_gpc0(be_429_table_api) gt 0
acl acl abuse_cnt src_get_gpc0(Abuse) gt 5 

How the counter will reset in this scenario ?

Also what happens when stick-table is expired ? Lets say user is blocked on 1m 59 sec, will he remain blocked for next 2 min ? What value should I choose as expire in these scenario ?

Please help