Hi,
i'm using stick-tables to track requests and block abusers if needed.
Abusers should be blocked only for a short period of time and i want a
stick-table entry to expire.
Therefore, i have to check if the client is already marked as an
abuser and do not track this client.
example config:
frontend fe_http_in
bind 127.0.0.1:8001
stick-table type ip size 100k expire 600s store gpc0
# Not working
# acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0
# Working
# acl is_overlimit src_get_gpc0(fe_http_in) gt 0
tcp-request connection track-sc0 src if !is_overlimit
default_backend be
backend be
... incrementing gpc0 ( with "sc0_inc_gpc0") ...
If i use "sc0_get_gpc0", the stick-table entry will never expire
because the timer will be resetted (tcp-request connection track-sc0
.... seems to ignore this acl).
With "src_get_gpc0" everything works as expected.
Both ACL's are correct and triggered (verified with debug headers
(http-response set-header ...))
What's the difference between these ACL's in conjunction with
"tcp-request connection track-sc0 ..." ?
Is this a bug or intended behaviour ?
-----------
Bjoern
i'm using stick-tables to track requests and block abusers if needed.
Abusers should be blocked only for a short period of time and i want a
stick-table entry to expire.
Therefore, i have to check if the client is already marked as an
abuser and do not track this client.
example config:
frontend fe_http_in
bind 127.0.0.1:8001
stick-table type ip size 100k expire 600s store gpc0
# Not working
# acl is_overlimit sc0_get_gpc0(fe_http_in) gt 0
# Working
# acl is_overlimit src_get_gpc0(fe_http_in) gt 0
tcp-request connection track-sc0 src if !is_overlimit
default_backend be
backend be
... incrementing gpc0 ( with "sc0_inc_gpc0") ...
If i use "sc0_get_gpc0", the stick-table entry will never expire
because the timer will be resetted (tcp-request connection track-sc0
.... seems to ignore this acl).
With "src_get_gpc0" everything works as expected.
Both ACL's are correct and triggered (verified with debug headers
(http-response set-header ...))
What's the difference between these ACL's in conjunction with
"tcp-request connection track-sc0 ..." ?
Is this a bug or intended behaviour ?
-----------
Bjoern