Logging for rejected TCP connections


#1

Hi,
I am trying to reject TCP connections from users based on conn_cur and conn_rate, I am using tcp-request connection reject to do that. But the problem is I am not getting any logs which shows these rejections. I have read somewhere where people suggested to use tcp-request content reject instead. My question is that whether this is going to impact my protection functionality? What I want to do eventually is maintain a list of BAD ips without hampering with my protection functionality.

Here is my configuration file:

Any help would be appreciated, thanks in anticipation.

global
log 127.0.0.1 local0
maxconn 4096
user haproxy
group haproxy
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
stats enable
option forwardfor
option httpclose
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 5s

frontend application_server
bind *:443 ssl crt /etc/ssl/private/shrey.staging.myservices.com.pem

Abuse protection

timeout http-request 5s
tcp-request connection reject if { src_conn_cur(abusers) ge 10 }
tcp-request connection reject if { src_conn_rate(abusers) ge 20 }
tcp-request connection track-sc1 src table abusers
default_backend backend_app1_ssl

backend backend_app1_ssl
balance roundrobin
server mon3 xx.xx.xx.xx:443 ssl verify none
server mon4 xx.xx.xx.xx:443 ssl verify none

backend abusers

Stick Table.

stick-table type ip size 200k expire 30s store conn_rate(3s),conn_cur


#2

In the above configuration, I have commented out option dontlognull, and added option logasap


#3

Correct:
https://www.mail-archive.com/haproxy@formilux.org/msg10795.html

Don’t use “tcp-request connection reject” if you want to log it.