Last active
May 29, 2020 19:29
-
-
Save yolleksandr/47ef6855d4e36043b3feaa84c0a97c80 to your computer and use it in GitHub Desktop.
haproxy response 429 if high rate for 4xx or 4xx response codes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| haproxy.cnf | |
| acl acl_oauth_path path_beg /oauth | |
| acl acl_4xx_status status 400 401 403 | |
| acl acl_5xx_status status 500 501 502 503 504 505 506 507 508 509 510 511 598 599 | |
| http-request track-sc0 src table oauth_4xx_table if acl_oauth_path | |
| http-request track-sc1 src table oauth_5xx_table if acl_oauth_path | |
| http-response sc-inc-gpc0(0) if acl_4xx_status | |
| http-response sc-inc-gpc0(1) if acl_5xx_status | |
| http-request deny deny_status 429 if { sc0_gpc0_rate gt 5 } | |
| http-request deny deny_status 429 if { sc1_gpc0_rate gt 5 } | |
| check config validity | |
| alias hacheck='haproxy -c -V -f /etc/haproxy/haproxy.cfg' | |
| root@haproxy1:/etc/haproxy# hacheck | |
| Configuration file is valid | |
| Check stat for tables | |
| root@haproxy1:/home/yoleksandr# echo "show table oauth_4xx_table" | socat stdio UNIX-CONNECT:/var/run/haproxy/admin.sock && echo "show table oauth_5xx_table" | socat stdio UNIX-CONNECT:/var/run/haproxy/admin.sock | |
| # table: oauth_4xx_table, type: ip, size:1048576, used:0 | |
| # table: oauth_5xx_table, type: ip, size:1048576, used:0 | |
| Docs: | |
| https://www.haproxy.com/documentation/hapee/1-9r1/onepage/#4.2-http-response%20track-sc0 | |
| https://www.haproxy.com/blog/introduction-to-haproxy-stick-tables/ | |
| https://www.haproxy.com/blog/bot-protection-with-haproxy/ | |
| https://www.haproxy.com/blog/introduction-to-haproxy-acls/ | |
| https://stackoverflow.com/questions/56015422/how-to-rate-limit-by-http-status-code-with-haproxy | |
| https://www.haproxy.com/blog/four-examples-of-haproxy-rate-limiting/ | |
| https://icicimov.github.io/blog/devops/HAProxy-DDOS-protection-and-API-rate-limiting/ | |
| https://www.haproxy.com/blog/dynamic-configuration-haproxy-runtime-api/ | |
| II | |
| acl acl_oauth_path path_beg /oauth | |
| acl acl_4xx_status status 400 401 403 | |
| acl acl_5xx_status status 500 501 502 503 504 505 506 507 508 509 510 511 598 599 | |
| http-request track-sc0 src table oauth_4xx_table if acl_oauth_path | |
| http-request track-sc1 src table oauth_5xx_table if acl_oauth_path | |
| http-response sc-inc-gpc0(0) if acl_4xx_status | |
| http-response sc-inc-gpc0(1) if acl_5xx_status | |
| use_backend response_4xx if { sc0_gpc0_rate gt 5 } !{ method OPTIONS } | |
| backend oauth_4xx_table | |
| stick-table type ip size 1m expire 1h store gpc0_rate(24h) | |
| backend oauth_5xx_table | |
| stick-table type ip size 1m expire 1h store gpc0_rate(24h) | |
| backend response_4xx | |
| http-request deny deny_status 429 | |
| errorfile 429 /etc/haproxy/errors/429.http | |
| root@haproxy:~# cat /etc/haproxy/errors/429.http | |
| HTTP/1.0 429 Too Many Requests | |
| Access-Control-Allow-Origin: * | |
| Access-Control-Allow-Methods: POST,GET,OPTIONS,DELETE | |
| Access-Control-Allow-Headers: authorization,content-type,x-locale,x-version | |
| Cache-Control: no-cache | |
| Connection: close | |
| Content-Type: text/html | |
| <html><body><h1>429 Too Many Requests</h1> | |
| Too many requests, please come back later. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment