Hey Pros,
randomly I detected in my logs that some http-request track-sc0 rule doe not work anymore. I have a dummy-backend for stick-tables and want to track there base32+src. In 2.3 or maybe in 2.4/2.4.1 it worked (I was ill and cant check older logs). But in 2.4.2 it does not work.
I have stripped down my config and will attache it, can someone reproduce this? Over socat the table is always empty! My https table has my test-record but the cache_limiter table is empty.
Thanks for your help!
Greetz
Attached my config
global
master-worker
#log /dev/log local0 info
log 1.2.3.54:1521 len 65535 format raw local0 info
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 666 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
#Close old thread after realod
hard-stop-after 1h
#Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
#Default ciphers to use on SSL-enabled listening sockets.
#For more information, see ciphers(1SSL). This list is from:
#https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:AES128+EECDH:AES128+EDH:ECDH+AESGCM128:DH+AESGCM128:ECDH+AES128!aNULL
ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#ssl-default-bind-options no-sslv3 #no-tls-tickets
ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets
#ssl-min-ver TLSv1.0
spread-checks 40
tune.ssl.default-dh-param 2048
tune.bufsize 4069000
maxconn 50000
defaults
log global
mode http
option dontlognull
option http-use-htx
log-format '{"version":"1.1","source":"haproxy01a","host":"haproxy01a","log_type":"http_access","short_message":"%r","level":5,"remote_address":"%[src,ipmask(24)]","frontend":"%ft","backend":"%b","server":"%s","time_connect":%TR,"time_wait":%Tw,"time_connect_server":%Tc,"time_response_server":%Tr,"time_total":%Tt,"response_status":%ST,"response_bytes":%B,"termination_state":"%tsc","server_queue":%sq,"server_conn":%sc,"backend_conn":%bc,"backend_queue":%bq,"retry":%rc,"unique_id":"%ID","http_method":"%HM","http_version":"%HV","request_path":"%HP","query_param":"%HQ","tls_version":"%sslv","ssl_cipher":"%sslc","vhost":"%[capture.req.hdr(1)]","user_agent":"%[capture.req.hdr(0)]","referer":"%[capture.req.hdr(2)]","phpsessid":"%CC"}' #,"post_content":"%{+E}hr","post_content2":"%hs","client_connections":"%[capture.res.hdr(0)]","phpsessid":"%CC"}'
timeout connect 5000
##timeout client 50000
timeout server 50000
timeout tarpit 2s
#new for websocket
timeout client 2h
timeout client-fin 30s
timeout http-keep-alive 50000
#timeout http-request 30s #set to prevent slowloris
unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
unique-id-header X-Unique-ID
option log-health-checks
#option splice-auto
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
#errorfile 410 /etc/haproxy/errors/410.http
errorfile 429 /etc/haproxy/errors/429.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend https
bind *:443 ssl crt /etc/cert/cert.pem alpn h2,http/1.1
#IMPORTANT if there is some strange behavior comment ignore in and comment no dontlog out!! IT is hard debug with this options..
#no option dontlognull
option http-ignore-probes
#option http-use-htx
option http-buffer-request
capture request header User-Agent len 128
capture request header Host len 48
capture request header Referer len 48
capture response header x-haproxy-ccount len 10
capture cookie PHPSESSID len 63
declare capture request len 1024
#option accept-invalid-http-request
tcp-request connection reject if { src_get_gpc0 gt 0 }
#tcp-request content track-sc0 src
tcp-request session track-sc0 src
http-request capture req.body id 3
http-request track-sc1 src table data_login
http-request track-sc2 src table post_shop
#declare all in a whitelist so that nothing is blocked from there
acl is_myrr src -f /etc/haproxy/myrr.lst
acl is_secure hdr(host) -i secure
#bot detection and deny bots
acl is_robot hdr_reg(User-Agent) -i -f /etc/haproxy/bots.lst
http-request deny if is_robot !is_secure
acl is_blacklist src -f /etc/haproxy/blacklist.lst
acl is_tor_client src -f /etc/haproxy/tor.lst
http-request deny if is_blacklist !is_secure
#http-request deny deny_status 429 if is_tor_client !is_secure
http-request return status 412 content-type "text/plain" string "query accepted and queued" if is_tor_client !is_secure
#acl is_referer_abuse hdr_reg(Referer) -m found -i http -i -
stick-table type ip size 500k expire 60m store gpc0,gpc1,conn_cur,conn_rate(3s),http_req_rate(5s),http_err_rate(10s),gpc0_rate(10s),gpc1_rate(15s)
#http-request tarpit if { src_conn_cur ge 500 } !is_myrr
http-request tarpit deny_status 429 if { src_conn_cur ge 300 } !is_myrr !is_secure
http-request tarpit if { src_conn_rate ge 6000 } !is_myrr !is_secure
#http-request tarpit if { sc0_http_err_rate() gt 200 } !is_myrr
http-request tarpit if { sc0_http_req_rate() gt 10000 } !is_myrr !is_secure
use_backend cache_GO_http_BE if { hdr(host) -i cache.abc.com -i api.abc.com }
backend data_login
stick-table type ip size 1m expire 10m store gpc0,gpc0_rate(15s)
backend post_shop
stick-table type ip size 1m expire 10m store gpc0,gpc0_rate(10s),gpt0
backend abuser_200er
http-request deny deny_status 200
backend maintenance_410
http-request deny deny_status 410
backend cache_limiter
stick-table type binary len 8 size 100k expire 1m store http_req_rate(900)
backend token_limiter
stick-table type ip size 10k expire 10m store http_req_rate(10m)
backend cache_GO_http_BE
mode http
balance roundrobin
#option forwardfor header X-Client-IP
http-request add-header X-Client-IP %[src,ipmask(24)]
fullconn 2000
timeout server 5m
option forwardfor
acl is_myrr src -f /etc/haproxy/myrr.lst
acl is_eventid_whitelist path_dir -i -f /etc/haproxy/api_whitelist.lst
acl is_limit_exclusion path_end -i groups.php scale.php
acl is_limit_path_exclusion path_dir -i complaints
acl is_office hdr_reg(User-Agent) -i Excel Microsoft
http-request track-sc0 base32+src table cache_limiter if TRUE
http-request return status 406 content-type "application/json" lf-string '{ "errors" : [ { "status" : "406", "title" : "Not Acceptable", "detail" : "Your IP %[src] reached out the request limit for this specific call to %[base]" } ] }' if { base32+src,table_http_req_rate(cache_limiter) gt 1 } !is_myrr !is_limit_exclusion !is_limit_path_exclusion !is_office !METH_POST !is_eventid_whitelist
filter compression
compression algo gzip
compression type text/html text/plain text/xml text/json text/css# text/javascript application/javascript
server cache2_140 1.2.3.140:8260 check weight 10 maxconn 250 inter 1s fall 3 #backup```