Hello,
Im having a bit of an issue blocking based on a token. My intention is to allow a token specified in the url. To be allowed only once. (in the below example per hour)
It’s a http backend, my original config is quite long so for clearness decided to post the most relevant part.
backend be_remote from http_frontend
default-server ssl verify none
server remoteapp 192.168.36.18
acl token_reuse sc1_inc_gpc1(be_remote) gt 0
stick-table type string len 120 size 100k expire 1h store gpc0
http-request track-sc1 url_param(token)
http-request deny if { url_param(token),table_gpc1(be_remote) gt 1 }
My stick table gets filled just fine. (And I can likely get away with len 64), but after a day of trying almost everything…
table: be_remote, type: string, size:102400, used:1
0x1815faaa4488: key=CBD4B86D34CA070BC6984DCE0FDFC41795D1ABFC199607650257EC3752A9E5C7 use=3 exp=3591138 shard=0 gpc0=0
This is a actual token, but they invalidate soon enough.
The above works for a large part except it does not block requests, my intention is that a second or more http request containing the same token should be blocked.
for completeness we call this with
https://<url>/rdp/#/client/NwBjAG15c3Fs?token=CBD4B86D34CA070BC6984DCE0FDFC41795D1ABFC199607650257EC3752A9E5C7
Now I’m thinking that the comparison is maybe to blame because we use a string, but I cant find any examples or similar configs. (plenty with ip src etc counters, but almost none with string).
Can someone tell me why this does not work? I figured perhaps it was an issue that the traffic was already flowing and thus it might not be blocked anymore, so I moved the deny logic to a http_frontend, but same issue, hence my suspection of it being related to the data being stored as a key=value.
Hope someone can help me out
