Problems getting rate limiting to work correctly with HTTPS

ni3ls · October 19, 2018, 2:37pm

Hi,
I am trying to set up a HAProxy loadbalancer to include simple rate-limit to avoid obvious abuse.
See drawing for simple schematic and note:

SNI is used to distinguish target “clusters”
SSL passthrough is needed so no content may be observed

The setup we have now works fine except for the rate limits.

We tried several suggested examples found but non seem to work properly.

What we need, is a simple way to avoid “abuse” rate attempts of connections coming from same IP, lets say 20 attempts per second, and ban that IP for further attempts for say 10 seconds.

We tried a lot of approaches based on especially the examples listed here - but none seem to work as expected. Many are very old and almost all only deal with HTTP or SSL being terminated on HAproxy.

Any hints and a link to a running example config is very very welcome.

List of links we looked at:
https://blog.serverfault.com/2010/08/26/1016491873/

gist.github.com

https://gist.github.com/badsyntax/b15313298486a06418ab

haproxy.1.cfg

# SSL termination at proxy

global
  log /dev/log  local0
  log /dev/log  local1 notice
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy
  group haproxy

This file has been truncated. show original

haproxy.2.cfg

# SSL Pass through
# This resulted in odd browser hehavior, where SNI was not working as expectd with https hosts - possibly due to HSTS headers?

global
  log /dev/log  local0
  log /dev/log  local1 notice
  chroot /var/lib/haproxy
  stats socket /run/haproxy/admin.sock mode 660 level admin
  stats timeout 30s
  user haproxy

This file has been truncated. show original

Platform:
Ubuntu 18.04
HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02

Current setup:

global
log /var/lib/haproxy/dev/log local0 info
maxconn 65000
user haproxy
group haproxy
daemon
stats socket /run/haproxy/haproxy.sock mode 660 level admin
stats timeout 2m

defaults
log global
mode tcp
option tcplog
retries 2
timeout http-request 5s
timeout connect 5s
timeout client 60s
timeout server 60s
timeout http-keep-alive 10s
timeout check 10s
maxconn 65000

#Port 80 redirect immidiately to same HTTPS URL
frontend http-in
bind :80
log global
mode http
use_backend http-redirect if !{ ssl_fc }

frontend access_https
mode tcp
log global
bind :443
use_backend test1_cluster_https if { req_ssl_sni -i “test1.example.com” }
use_backend test2_cluster_https if { req_ssl_sni -i “test2.example.com” }
default_backend rate-limit

backend test1_cluster_https
mode tcp
balance roundrobin
option tcp-check
server test1-node1 10.1.1.10 send-proxy check
server test1-node2 10.1.1.20 send-proxy check

backend test2_cluster_https
mode tcp
balance roundrobin
option ssl-hello-chk
option tcp-check
server test2-node1 10.1.2.10 send-proxy check
server test2-node2 10.1.2.20 send-proxy check

backend rate-limit
server test1-node1 10.1.2.10 send-proxy check
server test1-node2 10.1.2.20 send-proxy check

backend http-redirect
mode http
redirect scheme https code 301 if !{ ssl_fc }

####################################################

mrmoroniv · September 6, 2019, 11:10am

Did you ever figure this out? I’m in the same boat at the moment only encountering http examples which make no sense in today’s tls web.

Topic		Replies	Views
Need help with a HTTP and HTTPS Proxy Config for multiple backend servers Help!	1	607	January 19, 2021
Certificate/SSL termination problem Help!	3	1718	June 3, 2016
SNI HTTPS Reverse Proxy on pfSense Not Working Help!	1	4341	May 13, 2018
[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it Help!	12	2604	November 4, 2018
How To Scale SSL with HAProxy and Nginx Configuration Samples	6	5396	October 31, 2016

Problems getting rate limiting to work correctly with HTTPS

Related Topics