@Gurvan wrote:

Hi,

I intend to use haproxy as a protection for slow DDoS attacks when thousands of IPs request a single URL, so I am testing it on a few docker containers.

The setup is as follows : 2 apache backend, 1 haproxy and 2 clients.

I send a request every 2 seconds from the 2 clients, and I do see them in the Apache backends logs so they are transmitted properly, but however I try to update the tables, they have a very low count compared to the number they actually receive, and they typically don’t show the same number of requests for both clients.

The version is 1.7.5-2 on a Debian 9 docker container (clients and backends are Debian 9 containers too, there doesn’t appear to be any network problem between them).

Here is the configuration (please excuse the mess, I’m trying a bunch of things to make it work) :

global
log /dev/log local0
log /dev/log local1 notice
#chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 666
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL). This list is from:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

An alternative list with additional directives can be obtained from

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend fe
bind *:80
mode http
stick-table type ip size 500 expire 60m store http_req_cnt,http_req_rate(60000)
#http-request track-sc0 src
tcp-request content track-sc0 src
http-request track-sc0 base table dummy
tcp-request content track-sc0 base table dummy2
#http-request track-sc0 src #sets only 1 request even if 5-6 were made
#http-request sc-inc-gpc0(“vla”)(2)
#http-request sc-inc-gpc0(base)
#http-request sc-inc-gpc0(“base”)
#stick on src not backend/listen

default_backend lamp

backend lamp
mode http
server lamp1 backend1:80 check

backend dummy
stick-table type string len 100 size 50 expire 30m store conn_rate(5m),http_req_rate(1m),conn_cur,gpc0
#stick-table type ip size 50 expire 30m store conn_rate(5m),http_req_rate(1m),conn_cur

backend dummy2
stick-table type string len 100 size 50 expire 30m store conn_rate(5m),http_req_rate(1m),conn_cur,gpc0
#stick-table type ip size 50 expire 30m store conn_rate(5m),http_req_rate(1m),conn_cur

#define stick table for ip

#define stick table for base

#define 3 acls

#drop if 3 acls matched

Let me know if you would like more information.

Any idea why http_req_cnt doen’t update properly?

Regards,
Gurvan

Posts: 1

Participants: 1

Read full topic