Hi Everybody,
I’m trying to track L7 messages from backend in order to slow down new incoming connections from a certain IP address.
My backend always respond 200 to any requests, so I can’t track 4xx return code.
In my configuration, I’m capturing reponse from the backend server and if it match a certain substring (authentication failure), I store src IP in a specific stick-table (with http-response track) and increment the http_req_rate counter.
But, I don’t know to how to fetch value (http_req_rate) from the stick-table on a new incoming connection (http-request) in order to reply :
http-request deny deny_status 429 if { scX_http_req_rate gt 3 }
Here it is my configuration file:
frontend http
mode http
bind :80
timeout client 60s
http-request track-sc0 src table logon_failed
# http_req_rate is available but match every request.
stick match src table logon_failed
# But scX_http_req_rate is not available.
http-request deny deny_status 429 if { scX_http_req_rate gt 3 }
# This is what I want to reply in case of 3 invalids logon by the same IP address.
# http_req_rate will do the job to allow again the incoming IP after a certain amount of time (6h).
declare capture response len 80
http-response capture res.body id 0
acl logon_ko capture.res.hdr(0) -i -m sub "message":"authentication\ failure
http-response track-sc0 src table logon_failed if logon_ko
backend logon_failed
stick-table type ip size 1m expire 6h store http_req_rate(6h)
backend http_server
mode http
timeout server 60s
timeout connect 5s
cookie SERVERID rewrite
server http_local 127.0.0.1:8080
I don’t know how to fetch value from a stick-table during http-request process when the stick-table is populated with a tracker on http-response process.
Thanks for your help !