Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active September 28, 2022 14:50
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save haproxytechblog/608d580de6144a771c7b46d6ee17f526 to your computer and use it in GitHub Desktop.
Save haproxytechblog/608d580de6144a771c7b46d6ee17f526 to your computer and use it in GitHub Desktop.
Four Examples of HAProxy Rate Limiting
backend servers
server s1 192.168.30.10:80 check maxconn 30
server s2 192.168.31.10:80 check maxconn 30
server s3 192.168.31.10:80 check maxconn 30
backend servers
timeout queue 10s
server s1 192.168.30.10:80 check maxconn 30
server s2 192.168.31.10:80 check maxconn 30
server s3 192.168.31.10:80 check maxconn 30
frontend website
bind :80
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }
default_backend servers
frontend website
bind :80
stick-table type ipv6 size 100k expire 24h store http_req_cnt
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_cnt(0) gt 1000 }
default_backend servers
global
stats socket /run/haproxy.sock mode 660 level admin
$ echo "clear table website" | sudo socat stdio /run/haproxy.sock
$ echo "clear table website key 192.168.50.10" | sudo socat stdio /run/haproxy.sock
/urla 10
/urlb 20
/urlc 30
frontend website
bind :80
stick-table type binary len 20 size 100k expire 10s store http_req_rate(10s)
# Track client by base32+src (Host header + URL path + src IP)
http-request track-sc0 base32+src
# Check map file to get rate limit for path
http-request set-var(req.rate_limit) path,map_beg(/etc/haproxy/rates.map,20)
# Client's request rate is tracked
http-request set-var(req.request_rate) base32+src,table_http_req_rate()
# Subtract the current request rate from the limit
# If less than zero, set rate_abuse to true
acl rate_abuse var(req.rate_limit),sub(req.request_rate) lt 0
# Deny if rate abuse
http-request deny deny_status 429 if rate_abuse
default_backend servers
frontend website
bind :80
stick-table type string size 100k expire 24h store http_req_rate(24h)
# check for token parameter
acl has_token url_param(token) -m found
# check if exceeds limit
acl exceeds_limit url_param(token),table_http_req_rate() gt 1000
# start tracking based on token parameter
http-request track-sc0 url_param(token) unless exceeds_limit
# Deny if missing token or exceeds limit
http-request deny deny_status 429 if !has_token or exceeds_limit
default_backend servers
http://yourwebsite.com/api/v1/does_a_thing?token=abcd1234
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment