Skip to content

Instantly share code, notes, and snippets.

@gnilchee

gnilchee/haproxy.cfg

Created March 10, 2020 01:32
Show Gist options
  • Save gnilchee/bd4a3cfdfec4577e8f127726bb9d4339 to your computer and use it in GitHub Desktop.
Save gnilchee/bd4a3cfdfec4577e8f127726bb9d4339 to your computer and use it in GitHub Desktop.
Download ZIP
HAProxy config supporting an active/active setup with shared table used for rate limiting
Raw
haproxy.cfg
# tested with HAProxy 2.0 LTS on Debian 9
global
stats socket /tmp/haproxy_admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
defaults
mode http
maxconn 500
balance roundrobin
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 5s
option http-server-close
option forwardfor if-none
option redispatch
stats enable
stats refresh 30s
stats auth haproxy:password
stats uri /haproxy?stats
stats hide-version
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
peers haproxy-peers
peer haproxy-1 172.20.0.100:10000
peer haproxy-2 172.20.0.101:10000
# shared table
table ha-shared type string len 64 size 1m expire 15m store http_err_rate(5m),http_req_rate(5m)
frontend haproxy-1_fe
bind *:80
mode http
###################
# rate/err limiting
###################
tcp-request inspect-delay 5s
tcp-request content track-sc0 hdr(x-forwarded-for,-1) table haproxy-peers/ha-shared
acl err_abuse hdr(X-Forwarded-For,-1),table_http_err_rate(haproxy-peers/ha-shared) ge 5
acl rate_abuse hdr(X-Forwarded-For,-1),table_http_req_rate(haproxy-peers/ha-shared) ge 25
###################
use_backend err_limiter if err_abuse
use_backend rate_limiter if rate_abuse !err_abuse
default_backend default
backend default
balance roundrobin
option tcp-check
default-server inter 15s fall 3 rise 2
###################
# stick on xff
###################
stick on hdr(X-Forwarded-For,-1) table haproxy-peers/ha-shared
###################
server default_httpbin httpbin.org:443 ssl verify none check port 443 maxconn 100
backend rate_limiter
mode http
http-request deny deny_status 429
backend err_limiter
mode http
http-request reject
Raw
validate_counts.txt
you can display counters in haproxy-peers/ha-shared table
---------------------------------------------------------
echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
example output
---------------------------------------------------------
root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
# table: haproxy-peers/ha-shared, type: string, size:1048576, used:0
after hitting haproxy-1 with a 404 using no XFF (note http_req_rate AND http_err_rate remains 0)
---------------------------------------------------------
root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
# table: haproxy-peers/ha-shared, type: string, size:1048576, used:1
0x7f43f801e3d8: key=172.20.0.1 use=0 exp=896691 server_id=1 http_req_rate(300000)=0 http_err_rate(300000)=0 server_name=default_httpbin
after hitting haproxy-1 with a 404 using XFF (note http_req_rate AND http_err_rate increments)
---------------------------------------------------------
root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
# table: haproxy-peers/ha-shared, type: string, size:1048576, used:2
0x7f43f801e3d8: key=172.20.0.1 use=0 exp=789090 server_id=1 http_req_rate(300000)=0 http_err_rate(300000)=0 server_name=default_httpbin
0x7f43f801e558: key=192.168.1.50 use=0 exp=894193 server_id=1 http_req_rate(300000)=1 http_err_rate(300000)=1 server_name=default_httpbin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment