Rate Limiting using form-data & x-www-form-urlencoded

Hi,

I want to block repeating post requests using form-data and/or x-www-form-urlencoded if more than 5 times within 30 minutes, the following configuration is working but if there is a change in the value in form-data the requests are still being blocked even though its totally a new request. really appreciate any help on this. Thanks in advance.

I’m using HAProxy version 2.4.9, my current settings as follow:

listen webfarm
bind :443 ssl crt /etc/haproxy/certs/ssl-cert.pm

acl services path_beg /services
http-request set-header X-DOS-Protect %[src];%[req.fhdr(host)]%[capture.req.uri] if services

backend app_server
stick-table type integer size 1m expire 30m store http_req_rate(30m)
tcp-request inspect-delay 5s
tcp-request content track-sc0 req.fhdr(X-DOS-Protect),crc32(1) if HTTP
acl services path_beg /services
http-request deny deny_status 429 if { sc0_http_req_rate gt 5 } services

server webserver01 localhost:8080 check inter 30s
errorfile 503 /etc/haproxy/errors/maintenance.htm

Hi,

First, you don’t seem to run in mode http, is there any good reason for that?
Second, I don’t see any direct relation between the listen section and the backend section. You may be missing a default_backend or a use_backend directive somewhere.

I think your issue is that you miss the request body in your hash.

frontend webfarm
  mode http
  bind :443 ssl crt /etc/haproxy/certs/ssl-cert.pm

  option http-buffer-request

  acl services path_beg /services
  http-request set-var(txn.xdosprotect) %[src];%[req.fhdr(host)]%[path]%[req.body] if services
  stick-table type integer size 1m expire 30m store http_req_rate(30m)
  tcp-request content track-sc0 var(txn.xdosprotect),crc32(1) if services
  http-request deny deny_status 429 if { sc0_http_req_rate gt 5 }

  default_backend app_server

backend app_server
  mode http
  server webserver01 localhost:8080 check inter 30s
  errorfile 503 /etc/haproxy/errors/maintenance.htm

Note that I would also add a peers section with at least the local machine only in order to synchonize data accross reloads.

Hi, Thank you for the reply.

Sorry about that when pasting the code missed the mode http & default_backend app_server part.

I’ve made the changes accordingly however I got the following error messages:

[NOTICE] (2609232) : haproxy version is 2.4.9-1ppa1~focal
[NOTICE] (2609232) : path to executable is /usr/sbin/haproxy
[ALERT] (2609232) : parsing [/etc/haproxy/haproxy.cfg:199] : error detected in frontend ‘webfarm’ while parsing ‘http-request set-var(txn.xdosprotect)’ rule : missing fetch method.
[ALERT] (2609232) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg

The problematic line 199 is:
http-request set-var(txn.xdosprotect) %[src];%[req.fhdr(host)]%[path]%[req.body] if services

Is there any syntax that I might have missed above?