Last active
September 28, 2022 14:50
-
-
Save haproxytechblog/608d580de6144a771c7b46d6ee17f526 to your computer and use it in GitHub Desktop.
Four Examples of HAProxy Rate Limiting
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
backend servers | |
server s1 192.168.30.10:80 check maxconn 30 | |
server s2 192.168.31.10:80 check maxconn 30 | |
server s3 192.168.31.10:80 check maxconn 30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
backend servers | |
timeout queue 10s | |
server s1 192.168.30.10:80 check maxconn 30 | |
server s2 192.168.31.10:80 check maxconn 30 | |
server s3 192.168.31.10:80 check maxconn 30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
stick-table type ipv6 size 100k expire 30s store http_req_rate(10s) | |
http-request track-sc0 src | |
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 } | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
stick-table type ipv6 size 100k expire 24h store http_req_cnt | |
http-request track-sc0 src | |
http-request deny deny_status 429 if { sc_http_req_cnt(0) gt 1000 } | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
global | |
stats socket /run/haproxy.sock mode 660 level admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo "clear table website" | sudo socat stdio /run/haproxy.sock |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ echo "clear table website key 192.168.50.10" | sudo socat stdio /run/haproxy.sock |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/urla 10 | |
/urlb 20 | |
/urlc 30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
stick-table type binary len 20 size 100k expire 10s store http_req_rate(10s) | |
# Track client by base32+src (Host header + URL path + src IP) | |
http-request track-sc0 base32+src | |
# Check map file to get rate limit for path | |
http-request set-var(req.rate_limit) path,map_beg(/etc/haproxy/rates.map,20) | |
# Client's request rate is tracked | |
http-request set-var(req.request_rate) base32+src,table_http_req_rate() | |
# Subtract the current request rate from the limit | |
# If less than zero, set rate_abuse to true | |
acl rate_abuse var(req.rate_limit),sub(req.request_rate) lt 0 | |
# Deny if rate abuse | |
http-request deny deny_status 429 if rate_abuse | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
stick-table type string size 100k expire 24h store http_req_rate(24h) | |
# check for token parameter | |
acl has_token url_param(token) -m found | |
# check if exceeds limit | |
acl exceeds_limit url_param(token),table_http_req_rate() gt 1000 | |
# start tracking based on token parameter | |
http-request track-sc0 url_param(token) unless exceeds_limit | |
# Deny if missing token or exceeds limit | |
http-request deny deny_status 429 if !has_token or exceeds_limit | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http://yourwebsite.com/api/v1/does_a_thing?token=abcd1234 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment