HAProxy community

Problems getting rate limiting to work correctly with HTTPS


#1

Hi,
I am trying to set up a HAProxy loadbalancer to include simple rate-limit to avoid obvious abuse.
See drawing for simple schematic and note:

  • SNI is used to distinguish target “clusters”
  • SSL passthrough is needed so no content may be observed

The setup we have now works fine except for the rate limits.

We tried several suggested examples found but non seem to work properly.

What we need, is a simple way to avoid “abuse” rate attempts of connections coming from same IP, lets say 20 attempts per second, and ban that IP for further attempts for say 10 seconds.

We tried a lot of approaches based on especially the examples listed here - but none seem to work as expected. Many are very old and almost all only deal with HTTP or SSL being terminated on HAproxy.

Any hints and a link to a running example config is very very welcome.

List of links we looked at:
https://blog.serverfault.com/2010/08/26/1016491873/





Platform:
Ubuntu 18.04
HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02

Current setup:

global
log /var/lib/haproxy/dev/log local0 info
maxconn 65000
user haproxy
group haproxy
daemon
stats socket /run/haproxy/haproxy.sock mode 660 level admin
stats timeout 2m

defaults
log global
mode tcp
option tcplog
retries 2
timeout http-request 5s
timeout connect 5s
timeout client 60s
timeout server 60s
timeout http-keep-alive 10s
timeout check 10s
maxconn 65000

#Port 80 redirect immidiately to same HTTPS URL
frontend http-in
bind :80
log global
mode http
use_backend http-redirect if !{ ssl_fc }

frontend access_https
mode tcp
log global
bind :443
use_backend test1_cluster_https if { req_ssl_sni -i “test1.example.com” }
use_backend test2_cluster_https if { req_ssl_sni -i “test2.example.com” }
default_backend rate-limit

backend test1_cluster_https
mode tcp
balance roundrobin
option tcp-check
server test1-node1 10.1.1.10 send-proxy check
server test1-node2 10.1.1.20 send-proxy check

backend test2_cluster_https
mode tcp
balance roundrobin
option ssl-hello-chk
option tcp-check
server test2-node1 10.1.2.10 send-proxy check
server test2-node2 10.1.2.20 send-proxy check

backend rate-limit
server test1-node1 10.1.2.10 send-proxy check
server test1-node2 10.1.2.20 send-proxy check

backend http-redirect
mode http
redirect scheme https code 301 if !{ ssl_fc }

####################################################