gnilchee · March 10, 2020 01:32 · Mar 10, 2020
diff --git a/haproxy.cfg b/haproxy.cfg
@@ -0,0 +1,70 @@
+# tested with HAProxy 2.0 LTS on Debian 9
+global
+    stats socket /tmp/haproxy_admin.sock mode 660 level admin expose-fd listeners
+    stats timeout 30s
+    user haproxy
+    group haproxy
+
+defaults
+    mode http
+    maxconn 500
+    balance roundrobin
+    timeout connect 5000
+    timeout client  50000
+    timeout server  50000
+    timeout http-request 5s
+    option http-server-close
+    option forwardfor if-none
+    option redispatch
+    stats enable
+    stats refresh 30s
+    stats auth haproxy:password
+    stats uri  /haproxy?stats
+    stats hide-version
+    errorfile 400 /etc/haproxy/errors/400.http
+    errorfile 403 /etc/haproxy/errors/403.http
+    errorfile 408 /etc/haproxy/errors/408.http
+    errorfile 500 /etc/haproxy/errors/500.http
+    errorfile 502 /etc/haproxy/errors/502.http
+    errorfile 503 /etc/haproxy/errors/503.http
+    errorfile 504 /etc/haproxy/errors/504.http
+
+peers haproxy-peers
+    peer haproxy-1 172.20.0.100:10000
+    peer haproxy-2 172.20.0.101:10000
+    # shared table
+    table ha-shared type string len 64 size 1m expire 15m store http_err_rate(5m),http_req_rate(5m)
+
+frontend haproxy-1_fe
+    bind *:80
+    mode http
+    ###################
+    # rate/err limiting
+    ###################
+    tcp-request inspect-delay 5s
+    tcp-request content track-sc0 hdr(x-forwarded-for,-1) table haproxy-peers/ha-shared
+    acl err_abuse hdr(X-Forwarded-For,-1),table_http_err_rate(haproxy-peers/ha-shared) ge 5
+    acl rate_abuse hdr(X-Forwarded-For,-1),table_http_req_rate(haproxy-peers/ha-shared) ge 25
+    ###################
+    use_backend err_limiter if err_abuse
+    use_backend rate_limiter if rate_abuse !err_abuse
+    default_backend default
+
+backend default
+    balance roundrobin
+    option tcp-check
+    default-server inter 15s fall 3 rise 2
+    ###################
+    # stick on xff
+    ###################
+    stick on hdr(X-Forwarded-For,-1) table haproxy-peers/ha-shared
+    ###################
+    server default_httpbin httpbin.org:443 ssl verify none check port 443 maxconn 100
+
+backend rate_limiter
+    mode http
+    http-request deny deny_status 429
+
+backend err_limiter
+    mode http
+    http-request reject
diff --git a/validate_counts.txt b/validate_counts.txt
@@ -0,0 +1,21 @@
+you can display counters in haproxy-peers/ha-shared table
+---------------------------------------------------------
+echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
+
+example output
+---------------------------------------------------------
+root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
+# table: haproxy-peers/ha-shared, type: string, size:1048576, used:0
+
+after hitting haproxy-1 with a 404 using no XFF (note http_req_rate AND http_err_rate remains 0)
+---------------------------------------------------------
+root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
+# table: haproxy-peers/ha-shared, type: string, size:1048576, used:1
+0x7f43f801e3d8: key=172.20.0.1 use=0 exp=896691 server_id=1 http_req_rate(300000)=0 http_err_rate(300000)=0 server_name=default_httpbin
+
+after hitting haproxy-1 with a 404 using XFF (note http_req_rate AND http_err_rate increments)
+---------------------------------------------------------
+root@haproxy-2:~# echo "show table haproxy-peers/ha-shared" | socat stdio /tmp/haproxy_admin.sock
+# table: haproxy-peers/ha-shared, type: string, size:1048576, used:2
+0x7f43f801e3d8: key=172.20.0.1 use=0 exp=789090 server_id=1 http_req_rate(300000)=0 http_err_rate(300000)=0 server_name=default_httpbin
+0x7f43f801e558: key=192.168.1.50 use=0 exp=894193 server_id=1 http_req_rate(300000)=1 http_err_rate(300000)=1 server_name=default_httpbin