Tcp-request accept for static files


#1

Hey !

I have actually configured my HAP to counter some kiddy L7 DDoS. In this way I limited the conn_cur, conn_rate, and http_req_rate to very low values. But when a page is called, there is many css and js and images files that are called, and I cannot allow a larger http_req_rate or even conn_rate if I want the DDoS to be mitigated nicely…

So I dont want to apply limits for the static files that are just everywhere onto the app I have to maintain (the rewrite is shitty). But I have absolutely no idea on how …

There is what I would like to do :

acl static path_end -i .html .js .css
acl static path_end -i .png .jpg .jpeg .gif .mp3 .swf

stick-table type ip size 100k expire 10s store conn_cur,conn_rate(3s),http_req_rate(3s)

tcp-request connection accept if static
tcp-request connection reject if { src_conn_cur gt ## }
tcp-request connection reject if { src_conn_rate gt ## }
tcp-request connection reject if { src_http_req_rate() gt ## }
tcp-request connection track-sc1 src

But hap check giving me following warns :

[WARNING] *** acl 'static' will never match in 'tcp-request connection' because it only involves keywords that are incompatible with 'frontend tcp-request connection rule'

I dont realy understand what it means …

I actually cant use an other backend …

Any idea ?

PS: Sorry for my poor English :confused:


#2

Basically, HAProxy is complaining because you’re asking it to reject TCP connections, based on information at the HTTP level.

Try changing the tcp-request connection lines to http-request ? The DOS mitigation will not be as good, but it may allow what you want.

Alternatively, you could host assets at a different domain and limit things differently.

Hope that helps!

  • Andrew

#3

tcp-request connection is executed as soon as the TCP connection has been accepted by the Kernel and HAProxy get notified about it. There is no data yet, hence the HTTP request is not there.
As explained above, turn on the rule over http-request, so you’re sure the HTTP parser was successful hence you can match HTTP headers.

In order to avoid any false positive, you can enable tracking on your dynamic traffic only:

tcp-request connection track-sc1 src if { path_end -i .php }