- server_id : 用户请求被分配到的服务器的ID。形式为整数。
这个值可以被"stick match", "stick store","stick on"规则使用。
It is automatically enabled when referenced.
- http_req_cnt : HTTP请求计数器,形式为一个正32位整数。
记录了匹配当前entry的,从一个客户端接受到的HTTP请求的绝对数量。
无论这个请求是合法还是非法。
Note that this is different from sessions when keep-alive is used on the client side.
- http_req_rate() : HTTP的请求频率 (takes 12 bytes).
这个值统计指定时间范围内(毫秒为单位)进来的HTTP请求的频率。
无论这个请求是合法还是非法。
Note that this is different from sessions when keep-alive is used on the client side.
- bytes_in_rate() : 收到字节频率计数器(takes 12 bytes).
这个值统计指定时间范围内(毫秒为单位)收到的字节数的频率。
通常用于防止用户上传太快上传太多内容。
Warning: with large uploads, it is possible that the amount of uploaded data will be counted
once upon termination, thus causing spikes in the average transfer speed
instead of having a smooth one. This may partially be smoothed with
"option contstats" though this is not perfect yet. Use of byte_in_cnt is
recommended for better fairness.
- bytes_out_rate() : 发送字节频率计数器(takes 12 bytes).
这个值统计指定时间范围内(毫秒为单位)服务器发送给客户端的字节数的频率。
通常用于防止用户下载太快太多内容。
Warning: with large transfers, it is possible that the amount of transferred data will be
counted once upon termination, thus causing spikes in the average
transfer speed instead of having a smooth one. This may partiallybe
smoothed with "option contstats" though this is not perfect yet.Use of
byte_out_cnt is recommended for better fairness.
telnet 127.0.0.1 8080
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
6.限制HTTP请求的频率
01 # On Aloha, the global section is already setup for you
02 # and the haproxy stats socket is available at /var/run/haproxy.stats
03 global
04 stats socket ./haproxy.stats level admin
05
06 defaults
07 option http-server-close
08 mode http
09 timeout http-request 5s
10 timeout connect 5s
11 timeout server 10s
12 timeout client 30s
13
14 listen stats
15 bind 0.0.0.0:8880
16 stats enable
17 stats hide-version
18 stats uri /
19 stats realm HAProxy\ Statistics
20 stats auth admin:admin
21
22 frontend ft_web
23 bind 0.0.0.0:8080
24
25 # Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter
26 # Monitors the number of request sent by an IP over a period of 10 seconds
27 stick-table type ip size 1m expire 10s store gpc0,http_req_rate(10s)
28 tcp-request connection track-sc1 src
29 tcp-request connection reject if { src_get_gpc0 gt 0 }
30
31 # Split static and dynamic traffic since these requests have different impacts on the servers
32 use_backend bk_web_static if { path_end .jpg .png .gif .css .js }
33
34 default_backend bk_web
35
36 # Dynamic part of the application
37 backend bk_web
38 balance roundrobin
39 cookie MYSRV insert indirect nocache
40
41 # If the source IP sent 10 or more http request over the defined period,
42 # flag the IP as abuser on the frontend
43 acl abuse src_http_req_rate(ft_web) ge 10
44 acl flag_abuser src_inc_gpc0(ft_web)
45 tcp-request content reject if abuse flag_abuser
46
47 server srv1 192.168.1.2:80 check cookie srv1 maxconn 100
48 server srv2 192.168.1.3:80 check cookie srv2 maxconn 100
49
50 # Static objects
51 backend bk_web_static
52 balance roundrobin
53 server srv1 192.168.1.2:80 check maxconn 1000
54 server srv2 192.168.1.3:80 check maxconn 1000
测试方法同上边。
7.检测漏洞扫描
如果有人尝试对我们的站点进行漏洞扫描,那么通过HAProxy可以追踪到不同的错误。
HAProxy可以监控每个用户产生错误的频率,并且根据这个频率决定进一步的操作。
01 # On Aloha, the global section is already setup for you
02 # and the haproxy stats socket is available at /var/run/haproxy.stats
03 global
04 stats socket ./haproxy.stats level admin
05
06 defaults
07 option http-server-close
08 mode http
09 timeout http-request 5s
10 timeout connect 5s
11 timeout server 10s
12 timeout client 30s
13
14 listen stats
15 bind 0.0.0.0:8880
16 stats enable
17 stats hide-version
18 stats uri /
19 stats realm HAProxy\ Statistics
20 stats auth admin:admin
21
22 frontend ft_web
23 bind 0.0.0.0:8080
24
25 # Use General Purpose Couter 0 in SC1 as a global abuse counter
26 # Monitors the number of errors generated by an IP over a period of 10 seconds
27 stick-table type ip size 1m expire 10s store gpc0,http_err_rate(10s)
28 tcp-request connection track-sc1 src
29 tcp-request connection reject if { src_get_gpc0 gt 0 }
30
31 # Split static and dynamic traffic since these requests have different impacts on the servers
32 use_backend bk_web_static if { path_end .jpg .png .gif .css .js }
33
34 default_backend bk_web
35
36 # Dynamic part of the application
37 backend bk_web
38 balance roundrobin
39 cookie MYSRV insert indirect nocache
40
41 # If the source IP generated 10 or more http request over the defined period,
42 # flag the IP as abuser on the frontend
43 acl abuse src_http_err_rate(ft_web) ge 10
44 acl flag_abuser src_inc_gpc0(ft_web)
45 tcp-request content reject if abuse flag_abuser
46
47 server srv1 192.168.1.2:80 check cookie srv1 maxconn 100
48 server srv2 192.168.1.3:80 check cookie srv2 maxconn 100
49
50 # Static objects
51 backend bk_web_static
52 balance roundrobin
53 server srv1 192.168.1.2:80 check maxconn 1000
54 server srv2 192.168.1.3:80 check maxconn 1000
frontend http
# Use General Purpose Couter 0 in SC1 as a global abuse counter
# protecting all our sites
stick-table type ip size 1m expire 5m store gpc0
tcp-request connection track-sc1 src
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
...
use_backend http_dynamic if { path_end .php }
backend http_dynamic
# if a source makes too fast requests to this dynamic site (tracked
# by SC2), block it globally in the frontend.
stick-table type ip size 1m expire 5m store http_req_rate(10s)
acl click_too_fast sc2_http_req_rate gt 10
acl mark_as_abuser sc1_inc_gpc0
tcp-request content track-sc2 src
tcp-request content reject if click_too_fast mark_as_abuser
另有一段示例如下:
# block if 5 consecutive requests continue to come faster than 10 sess
# per second, and reset the counter as soon as the traffic slows down.
acl abuse src_http_req_rate gt 10
acl kill src_inc_gpc0 gt 5
acl save src_clr_gpc0
tcp-request connection accept if !abuse save
tcp-requestconnection reject if abuse kill