Hi,
I am trying to reject TCP connections from users based on conn_cur and conn_rate, I am using tcp-request connection reject to do that. But the problem is I am not getting any logs which shows these rejections. I have read somewhere where people suggested to use tcp-request content reject instead. My question is that whether this is going to impact my protection functionality? What I want to do eventually is maintain a list of BAD ips without hampering with my protection functionality.
Here is my configuration file:
Any help would be appreciated, thanks in anticipation.
global
log 127.0.0.1 local0
maxconn 4096
user haproxy
group haproxy
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
stats enable
option forwardfor
option httpclose
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 5s
frontend application_server
bind *:443 ssl crt /etc/ssl/private/shrey.staging.myservices.com.pem
Abuse protection
timeout http-request 5s
tcp-request connection reject if { src_conn_cur(abusers) ge 10 }
tcp-request connection reject if { src_conn_rate(abusers) ge 20 }
tcp-request connection track-sc1 src table abusers
default_backend backend_app1_ssl
backend backend_app1_ssl
balance roundrobin
server mon3 xx.xx.xx.xx:443 ssl verify none
server mon4 xx.xx.xx.xx:443 ssl verify none
backend abusers
Stick Table.
stick-table type ip size 200k expire 30s store conn_rate(3s),conn_cur