Hi,
We have multiple haproxy servers receiving traffic from our firewall, we
want to apply some rate limiting that takes into account counters from all
the haproxy servers.
I am testing this with 1.6.4 and I tried the peer feature, but not able to
get it to work. I understand that counter aggregation does not happen, but
even replication doesn¹t seem to be working for me.
Conf:
Peers article
peer haproxy1 127.0.0.1:11023
peer haproxy2 127.0.0.1:11024
global
stats socket /tmp/haproxy.sock mode 600 level admin
#maxconn 3000
#maxconn 10000
defaults
log 127.0.0.1 local1
option httplog
mode http
timeout server 120s
timeout queue 1000s
timeout client 1200s # CLient Inactive time
timeout connect 100s # timeout for server connection
timeout check 500s # timeout for server check pings
maxconn 10000
retries 2
option redispatch
option http-server-close
frontend haproxy1_l2
mode http
option forwardfor
capture cookie egnyte-proxy len 32
capture request header host len 32
bind *:1443 ssl crt /home/egnyte/haproxy/conf/key.pem crt
/home/egnyte/haproxy/conf/certs
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
stick-table type string size 1M expire 10m store conn_cur peers
article
acl is_range hdr_sub(Range) bytes=
acl is_path_throttled path_beg /public-api/v1/fs-content-download
acl is_path_throttled path_end /get_file
acl is_path_throttled path_beg /wsgi/print_headers.py
#tcp-request content track-sc1 base32 if is_range is_path_throttled
http-request set-header X-track % http-request track-sc1 req.hdr(X-track) if is_range is_path_throttled http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled default_backend apache_l1 backend apache_l1 mode http maxconn 10000 reqadd X-Haproxy-L1:\ true server apache_l1 127.0.0.1:80 Is there any other way to have rate limiting that can track the counters across haproxy servers? How about seeding counters in to redis using lua and then reading them to rate limit is it even feasible, I have not looked at it in detail yet, just wanted to see if somebody has tried something similar. Thanks Sachin
We have multiple haproxy servers receiving traffic from our firewall, we
want to apply some rate limiting that takes into account counters from all
the haproxy servers.
I am testing this with 1.6.4 and I tried the peer feature, but not able to
get it to work. I understand that counter aggregation does not happen, but
even replication doesn¹t seem to be working for me.
Conf:
Peers article
peer haproxy1 127.0.0.1:11023
peer haproxy2 127.0.0.1:11024
global
stats socket /tmp/haproxy.sock mode 600 level admin
#maxconn 3000
#maxconn 10000
defaults
log 127.0.0.1 local1
option httplog
mode http
timeout server 120s
timeout queue 1000s
timeout client 1200s # CLient Inactive time
timeout connect 100s # timeout for server connection
timeout check 500s # timeout for server check pings
maxconn 10000
retries 2
option redispatch
option http-server-close
frontend haproxy1_l2
mode http
option forwardfor
capture cookie egnyte-proxy len 32
capture request header host len 32
bind *:1443 ssl crt /home/egnyte/haproxy/conf/key.pem crt
/home/egnyte/haproxy/conf/certs
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
stick-table type string size 1M expire 10m store conn_cur peers
article
acl is_range hdr_sub(Range) bytes=
acl is_path_throttled path_beg /public-api/v1/fs-content-download
acl is_path_throttled path_end /get_file
acl is_path_throttled path_beg /wsgi/print_headers.py
#tcp-request content track-sc1 base32 if is_range is_path_throttled
http-request set-header X-track % http-request track-sc1 req.hdr(X-track) if is_range is_path_throttled http-request deny if { sc1_conn_cur gt 2 } is_range is_path_throttled default_backend apache_l1 backend apache_l1 mode http maxconn 10000 reqadd X-Haproxy-L1:\ true server apache_l1 127.0.0.1:80 Is there any other way to have rate limiting that can track the counters across haproxy servers? How about seeding counters in to redis using lua and then reading them to rate limit is it even feasible, I have not looked at it in detail yet, just wanted to see if somebody has tried something similar. Thanks Sachin