Hi i am using haproxy to rate limit following this document
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
"Limiting the number of connections per users"
so when i exceed the connection rate i see the following messages on my ab client machine.
SSL handshake failed (5).SSL handshake failed (5).SSL handshake failed (5).SSL handshake failed (5).
How can i give back a graceful message saying that you are rate limited?
basically send them to a http message similar to when they get rate limited on http req rate
Here is my configuration
# Table definition
stick-table type ip size 100k expire 30s store gpc0,conn_cur,conn_rate(3s),http_req_rate(10s),http_err_rate(10s)
# Allow clean known IPs to bypass the filter
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
# if someone has more than 40 connections in over a period of 3 seconds, REJECT
# This results in connection rate being capped from abusive sources.
tcp-request connection reject if { sc0_conn_rate ge 40 }
# this is sending data defined in the stick-table and storing it the stick-table since by default nothing is restored in it
tcp-request connection track-sc0 src
# Shut the new connection as long as the client has already 20 opened
tcp-request connection reject if { sc0_conn_cur ge 20 }
# tracking connections that are not rejected from clients that don't have 10 connections/don't have 10 connections/3 seconds
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl abuse_err sc0_http_err_rate ge 10
acl flag_abuser_err sc0_inc_gpc0 ge 0
acl abuse sc0_http_req_rate ge 250
tcp-request content reject if abuse_err flag_abuser_err
use_backend backend_slow_down if abuse
default_backend www-backend
backend backend_slow_down
timeout tarpit 2s
errorfile 500 /etc/haproxy/errors/429.http
http-request tarpit
http://blog.haproxy.com/2012/02/27/use-a-load-balancer-as-a-first-row-of-defense-against-ddos/
"Limiting the number of connections per users"
so when i exceed the connection rate i see the following messages on my ab client machine.
SSL handshake failed (5).SSL handshake failed (5).SSL handshake failed (5).SSL handshake failed (5).
How can i give back a graceful message saying that you are rate limited?
basically send them to a http message similar to when they get rate limited on http req rate
Here is my configuration
# Table definition
stick-table type ip size 100k expire 30s store gpc0,conn_cur,conn_rate(3s),http_req_rate(10s),http_err_rate(10s)
# Allow clean known IPs to bypass the filter
tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst }
# if someone has more than 40 connections in over a period of 3 seconds, REJECT
# This results in connection rate being capped from abusive sources.
tcp-request connection reject if { sc0_conn_rate ge 40 }
# this is sending data defined in the stick-table and storing it the stick-table since by default nothing is restored in it
tcp-request connection track-sc0 src
# Shut the new connection as long as the client has already 20 opened
tcp-request connection reject if { sc0_conn_cur ge 20 }
# tracking connections that are not rejected from clients that don't have 10 connections/don't have 10 connections/3 seconds
tcp-request connection reject if { sc0_get_gpc0 gt 0 }
acl abuse_err sc0_http_err_rate ge 10
acl flag_abuser_err sc0_inc_gpc0 ge 0
acl abuse sc0_http_req_rate ge 250
tcp-request content reject if abuse_err flag_abuser_err
use_backend backend_slow_down if abuse
default_backend www-backend
backend backend_slow_down
timeout tarpit 2s
errorfile 500 /etc/haproxy/errors/429.http
http-request tarpit