Tcp-request accept for static files

Bobot · January 3, 2016, 4:37pm

Hey !

I have actually configured my HAP to counter some kiddy L7 DDoS. In this way I limited the conn_cur, conn_rate, and http_req_rate to very low values. But when a page is called, there is many css and js and images files that are called, and I cannot allow a larger http_req_rate or even conn_rate if I want the DDoS to be mitigated nicely…

So I dont want to apply limits for the static files that are just everywhere onto the app I have to maintain (the rewrite is shitty). But I have absolutely no idea on how …

There is what I would like to do :

acl static path_end -i .html .js .css
acl static path_end -i .png .jpg .jpeg .gif .mp3 .swf

stick-table type ip size 100k expire 10s store conn_cur,conn_rate(3s),http_req_rate(3s)

tcp-request connection accept if static
tcp-request connection reject if { src_conn_cur gt ## }
tcp-request connection reject if { src_conn_rate gt ## }
tcp-request connection reject if { src_http_req_rate() gt ## }
tcp-request connection track-sc1 src

But hap check giving me following warns :

[WARNING] *** acl 'static' will never match in 'tcp-request connection' because it only involves keywords that are incompatible with 'frontend tcp-request connection rule'

I dont realy understand what it means …

I actually cant use an other backend …

Any idea ?

PS: Sorry for my poor English

ahayworth · January 6, 2016, 4:56pm

Basically, HAProxy is complaining because you’re asking it to reject TCP connections, based on information at the HTTP level.

Try changing the tcp-request connection lines to http-request ? The DOS mitigation will not be as good, but it may allow what you want.

Alternatively, you could host assets at a different domain and limit things differently.

Hope that helps!

Andrew

Baptiste · January 15, 2016, 3:43am

tcp-request connection is executed as soon as the TCP connection has been accepted by the Kernel and HAProxy get notified about it. There is no data yet, hence the HTTP request is not there.
As explained above, turn on the rule over http-request, so you’re sure the HTTP parser was successful hence you can match HTTP headers.

In order to avoid any false positive, you can enable tracking on your dynamic traffic only:

tcp-request connection track-sc1 src if { path_end -i .php }

Topic		Replies	Views
HAProxy DDoS protection suggestions Help!	0	2110	October 21, 2019
DDOS protection using rate limits Help!	0	1495	January 18, 2023
Counter issues on 1.8.29 Help!	5	560	March 26, 2021
HAProxy rate limit questions Help!	0	636	September 29, 2019
Rate limit based on the number of success request Help!	6	956	November 1, 2023

Tcp-request accept for static files

Related topics