mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-13 23:14:46 +00:00
DOC: fix bogus recommendation on usage of gpc0 counter
The doc pretends that src_inc_gpc0 may be used alone without an integer match, but this is false and has always been since its introduction in 1.5-dev1. If the ACL is called, the increment will be used, the value returned, but it will be matched against no value so the resulting ACL will never be true and the condition will not be met. This means that the following config : acl abuser src -f abusers.lst acl blacklist src_inc_gpc0 tcp-request connection reject if abuser blacklist Will never reject the connection and must be fixed this way : acl abuser src -f abusers.lst acl blacklist src_inc_gpc0 gt 0 tcp-request connection reject if abuser blacklist Note that clr_gpc0 is trickier, as it returns the previous value which might also be zero. Thus it's suggested to compare it against any positive value including zero : tcp-request connection accept if { src_clr_gpc0 ge 0 } Some arguments were missing on the sc1/sc2 forms of most ACLs including gpc0, so this has been fixed too.
This commit is contained in:
parent
c5c61fcf45
commit
869948b062
@ -6375,7 +6375,7 @@ tcp-request content <action> [{if | unless} <condition>]
|
|||||||
# by SC2), block it globally in the frontend.
|
# by SC2), block it globally in the frontend.
|
||||||
stick-table type ip size 1m expire 5m store http_req_rate(10s)
|
stick-table type ip size 1m expire 5m store http_req_rate(10s)
|
||||||
acl click_too_fast sc2_http_req_rate gt 10
|
acl click_too_fast sc2_http_req_rate gt 10
|
||||||
acl mark_as_abuser sc1_inc_gpc0
|
acl mark_as_abuser sc1_inc_gpc0 gt 0
|
||||||
tcp-request content track-sc2 src
|
tcp-request content track-sc2 src
|
||||||
tcp-request content reject if click_too_fast mark_as_abuser
|
tcp-request content reject if click_too_fast mark_as_abuser
|
||||||
|
|
||||||
@ -8120,7 +8120,6 @@ srv_sess_rate(<backend>/<server>) <integer>
|
|||||||
acl srv2_full srv_sess_rate(be1/srv2) gt 50
|
acl srv2_full srv_sess_rate(be1/srv2) gt 50
|
||||||
use_backend be2 if srv1_full or srv2_full
|
use_backend be2 if srv1_full or srv2_full
|
||||||
|
|
||||||
|
|
||||||
connslots <integer>
|
connslots <integer>
|
||||||
connslots(<backend>) <integer>
|
connslots(<backend>) <integer>
|
||||||
The basic idea here is to be able to measure the number of connection "slots"
|
The basic idea here is to be able to measure the number of connection "slots"
|
||||||
@ -8214,112 +8213,110 @@ queue(<backend>) <integer>
|
|||||||
One possible action could be to reject new users but still accept old ones.
|
One possible action could be to reject new users but still accept old ones.
|
||||||
See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
|
See also the "avg_queue", "be_conn", and "be_sess_rate" criteria.
|
||||||
|
|
||||||
sc1_bytes_in_rate
|
sc1_bytes_in_rate <integer>
|
||||||
sc2_bytes_in_rate
|
sc2_bytes_in_rate <integer>
|
||||||
Returns the average client-to-server bytes rate from the currently tracked
|
Returns the average client-to-server bytes rate from the currently tracked
|
||||||
counters, measured in amount of bytes over the period configured in the
|
counters, measured in amount of bytes over the period configured in the
|
||||||
table. See also src_bytes_in_rate.
|
table. See also src_bytes_in_rate.
|
||||||
|
|
||||||
sc1_bytes_out_rate
|
sc1_bytes_out_rate <integer>
|
||||||
sc2_bytes_out_rate
|
sc2_bytes_out_rate <integer>
|
||||||
Returns the average server-to-client bytes rate from the currently tracked
|
Returns the average server-to-client bytes rate from the currently tracked
|
||||||
counters, measured in amount of bytes over the period configured in the
|
counters, measured in amount of bytes over the period configured in the
|
||||||
table. See also src_bytes_out_rate.
|
table. See also src_bytes_out_rate.
|
||||||
|
|
||||||
sc1_clr_gpc0
|
sc1_clr_gpc0 <integer>
|
||||||
sc2_clr_gpc0
|
sc2_clr_gpc0 <integer>
|
||||||
Clears the first General Purpose Counter associated to the currently tracked
|
Clears the first General Purpose Counter associated to the currently tracked
|
||||||
counters, and returns its previous value. Before the first invocation, the
|
counters, and returns its previous value. Before the first invocation, the
|
||||||
stored value is zero, so first invocation will always return zero. The test
|
stored value is zero, so first invocation will always return zero. This is
|
||||||
can also be used alone and always returns true. This is typically used as a
|
typically used as a second ACL in an expression in order to mark a connection
|
||||||
second ACL in an expression in order to mark a connection when a first ACL
|
when a first ACL was verified :
|
||||||
was verified :
|
|
||||||
|
|
||||||
# block if 5 consecutive requests continue to come faster than 10 sess
|
# block if 5 consecutive requests continue to come faster than 10 sess
|
||||||
# per second, and reset the counter as soon as the traffic slows down.
|
# per second, and reset the counter as soon as the traffic slows down.
|
||||||
acl abuse sc1_http_req_rate gt 10
|
acl abuse sc1_http_req_rate gt 10
|
||||||
acl kill sc1_inc_gpc0 gt 5
|
acl kill sc1_inc_gpc0 gt 5
|
||||||
acl save sc1_clr_gpc0
|
acl save sc1_clr_gpc0 ge 0
|
||||||
tcp-request connection accept if !abuse save
|
tcp-request connection accept if !abuse save
|
||||||
tcp-request connection reject if abuse kill
|
tcp-request connection reject if abuse kill
|
||||||
|
|
||||||
sc1_conn_cnt
|
sc1_conn_cnt <integer>
|
||||||
sc2_conn_cnt
|
sc2_conn_cnt <integer>
|
||||||
Returns the cumulated number of incoming connections from currently tracked
|
Returns the cumulated number of incoming connections from currently tracked
|
||||||
counters. See also src_conn_cnt.
|
counters. See also src_conn_cnt.
|
||||||
|
|
||||||
sc1_conn_cur
|
sc1_conn_cur <integer>
|
||||||
sc2_conn_cur
|
sc2_conn_cur <integer>
|
||||||
Returns the current amount of concurrent connections tracking the same
|
Returns the current amount of concurrent connections tracking the same
|
||||||
tracked counters. This number is automatically incremented when tracking
|
tracked counters. This number is automatically incremented when tracking
|
||||||
begins and decremented when tracking stops. See also src_conn_cur.
|
begins and decremented when tracking stops. See also src_conn_cur.
|
||||||
|
|
||||||
sc1_conn_rate
|
sc1_conn_rate <integer>
|
||||||
sc2_conn_rate
|
sc2_conn_rate <integer>
|
||||||
Returns the average connection rate from the currently tracked counters,
|
Returns the average connection rate from the currently tracked counters,
|
||||||
measured in amount of connections over the period configured in the table.
|
measured in amount of connections over the period configured in the table.
|
||||||
See also src_conn_rate.
|
See also src_conn_rate.
|
||||||
|
|
||||||
sc1_get_gpc0
|
sc1_get_gpc0 <integer>
|
||||||
sc2_get_gpc0
|
sc2_get_gpc0 <integer>
|
||||||
Returns the value of the first General Purpose Counter associated to the
|
Returns the value of the first General Purpose Counter associated to the
|
||||||
currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
|
currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0.
|
||||||
|
|
||||||
sc1_http_err_cnt
|
sc1_http_err_cnt <integer>
|
||||||
sc2_http_err_cnt
|
sc2_http_err_cnt <integer>
|
||||||
Returns the cumulated number of HTTP errors from the currently tracked
|
Returns the cumulated number of HTTP errors from the currently tracked
|
||||||
counters. This includes the both request errors and 4xx error responses.
|
counters. This includes the both request errors and 4xx error responses.
|
||||||
See also src_http_err_cnt.
|
See also src_http_err_cnt.
|
||||||
|
|
||||||
sc1_http_err_rate
|
sc1_http_err_rate <integer>
|
||||||
sc2_http_err_rate
|
sc2_http_err_rate <integer>
|
||||||
Returns the average rate of HTTP errors from the currently tracked counters,
|
Returns the average rate of HTTP errors from the currently tracked counters,
|
||||||
measured in amount of errors over the period configured in the table. This
|
measured in amount of errors over the period configured in the table. This
|
||||||
includes the both request errors and 4xx error responses. See also
|
includes the both request errors and 4xx error responses. See also
|
||||||
src_http_err_rate.
|
src_http_err_rate.
|
||||||
|
|
||||||
sc1_http_req_cnt
|
sc1_http_req_cnt <integer>
|
||||||
sc2_http_req_cnt
|
sc2_http_req_cnt <integer>
|
||||||
Returns the cumulated number of HTTP requests from the currently tracked
|
Returns the cumulated number of HTTP requests from the currently tracked
|
||||||
counters. This includes every started request, valid or not. See also
|
counters. This includes every started request, valid or not. See also
|
||||||
src_http_req_cnt.
|
src_http_req_cnt.
|
||||||
|
|
||||||
sc1_http_req_rate
|
sc1_http_req_rate <integer>
|
||||||
sc2_http_req_rate
|
sc2_http_req_rate <integer>
|
||||||
Returns the average rate of HTTP requests from the currently tracked
|
Returns the average rate of HTTP requests from the currently tracked
|
||||||
counters, measured in amount of requests over the period configured in
|
counters, measured in amount of requests over the period configured in
|
||||||
the table. This includes every started request, valid or not. See also
|
the table. This includes every started request, valid or not. See also
|
||||||
src_http_req_rate.
|
src_http_req_rate.
|
||||||
|
|
||||||
sc1_inc_gpc0
|
sc1_inc_gpc0 <integer>
|
||||||
sc2_inc_gpc0
|
sc2_inc_gpc0 <integer>
|
||||||
Increments the first General Purpose Counter associated to the currently
|
Increments the first General Purpose Counter associated to the currently
|
||||||
tracked counters, and returns its value. Before the first invocation, the
|
tracked counters, and returns its new value. Before the first invocation,
|
||||||
stored value is zero, so first invocation will increase it to 1 and will
|
the stored value is zero, so first invocation will increase it to 1 and will
|
||||||
return 1. The test can also be used alone and always returns true. This is
|
return 1. This is typically used as a second ACL in an expression in order
|
||||||
typically used as a second ACL in an expression in order to mark a connection
|
to mark a connection when a first ACL was verified :
|
||||||
when a first ACL was verified :
|
|
||||||
|
|
||||||
acl abuse sc1_http_req_rate gt 10
|
acl abuse sc1_http_req_rate gt 10
|
||||||
acl kill sc1_inc_gpc0
|
acl kill sc1_inc_gpc0 gt 0
|
||||||
tcp-request connection reject if abuse kill
|
tcp-request connection reject if abuse kill
|
||||||
|
|
||||||
sc1_kbytes_in
|
sc1_kbytes_in <integer>
|
||||||
sc2_kbytes_in
|
sc2_kbytes_in <integer>
|
||||||
Returns the amount of client-to-server data from the currently tracked
|
Returns the amount of client-to-server data from the currently tracked
|
||||||
counters, measured in kilobytes over the period configured in the table. The
|
counters, measured in kilobytes over the period configured in the table. The
|
||||||
test is currently performed on 32-bit integers, which limits values to 4
|
test is currently performed on 32-bit integers, which limits values to 4
|
||||||
terabytes. See also src_kbytes_in.
|
terabytes. See also src_kbytes_in.
|
||||||
|
|
||||||
sc1_kbytes_out
|
sc1_kbytes_out <integer>
|
||||||
sc2_kbytes_out
|
sc2_kbytes_out <integer>
|
||||||
Returns the amount of server-to-client data from the currently tracked
|
Returns the amount of server-to-client data from the currently tracked
|
||||||
counters, measured in kilobytes over the period configured in the table. The
|
counters, measured in kilobytes over the period configured in the table. The
|
||||||
test is currently performed on 32-bit integers, which limits values to 4
|
test is currently performed on 32-bit integers, which limits values to 4
|
||||||
terabytes. See also src_kbytes_out.
|
terabytes. See also src_kbytes_out.
|
||||||
|
|
||||||
sc1_sess_cnt
|
sc1_sess_cnt <integer>
|
||||||
sc2_sess_cnt
|
sc2_sess_cnt <integer>
|
||||||
Returns the cumulated number of incoming connections that were transformed
|
Returns the cumulated number of incoming connections that were transformed
|
||||||
into sessions, which means that they were accepted by a "tcp-request
|
into sessions, which means that they were accepted by a "tcp-request
|
||||||
connection" rule, from the currently tracked counters. A backend may count
|
connection" rule, from the currently tracked counters. A backend may count
|
||||||
@ -8327,8 +8324,8 @@ sc2_sess_cnt
|
|||||||
backend sessions if some HTTP keep-alive is performed over the connection
|
backend sessions if some HTTP keep-alive is performed over the connection
|
||||||
with the client. See also src_sess_cnt.
|
with the client. See also src_sess_cnt.
|
||||||
|
|
||||||
sc1_sess_rate
|
sc1_sess_rate <integer>
|
||||||
sc2_sess_rate
|
sc2_sess_rate <integer>
|
||||||
Returns the average session rate from the currently tracked counters,
|
Returns the average session rate from the currently tracked counters,
|
||||||
measured in amount of sessions over the period configured in the table. A
|
measured in amount of sessions over the period configured in the table. A
|
||||||
session is a connection that got past the early "tcp-request connection"
|
session is a connection that got past the early "tcp-request connection"
|
||||||
@ -8336,8 +8333,8 @@ sc2_sess_rate
|
|||||||
connection could result in many backend sessions if some HTTP keep-alive is
|
connection could result in many backend sessions if some HTTP keep-alive is
|
||||||
performed over the connection with the client. See also src_sess_rate.
|
performed over the connection with the client. See also src_sess_rate.
|
||||||
|
|
||||||
sc1_trackers
|
sc1_trackers <integer>
|
||||||
sc2_trackers
|
sc2_trackers <integer>
|
||||||
Returns the current amount of concurrent connections tracking the same
|
Returns the current amount of concurrent connections tracking the same
|
||||||
tracked counters. This number is automatically incremented when tracking
|
tracked counters. This number is automatically incremented when tracking
|
||||||
begins and decremented when tracking stops. It differs from sc1_conn_cur in
|
begins and decremented when tracking stops. It differs from sc1_conn_cur in
|
||||||
@ -8372,15 +8369,14 @@ src_clr_gpc0(<table>) <integer>
|
|||||||
Clears the first General Purpose Counter associated to the connection's
|
Clears the first General Purpose Counter associated to the connection's
|
||||||
source IPv4 address in the current proxy's stick-table or in the designated
|
source IPv4 address in the current proxy's stick-table or in the designated
|
||||||
stick-table, and returns its previous value. If the address is not found, an
|
stick-table, and returns its previous value. If the address is not found, an
|
||||||
entry is created and 0 is returned. The test can also be used alone and
|
entry is created and 0 is returned. This is typically used as a second ACL in
|
||||||
always returns true. This is typically used as a second ACL in an expression
|
an expression in order to mark a connection when a first ACL was verified :
|
||||||
in order to mark a connection when a first ACL was verified :
|
|
||||||
|
|
||||||
# block if 5 consecutive requests continue to come faster than 10 sess
|
# block if 5 consecutive requests continue to come faster than 10 sess
|
||||||
# per second, and reset the counter as soon as the traffic slows down.
|
# per second, and reset the counter as soon as the traffic slows down.
|
||||||
acl abuse src_http_req_rate gt 10
|
acl abuse src_http_req_rate gt 10
|
||||||
acl kill src_inc_gpc0 gt 5
|
acl kill src_inc_gpc0 gt 5
|
||||||
acl save src_clr_gpc0
|
acl save src_clr_gpc0 ge 0
|
||||||
tcp-request connection accept if !abuse save
|
tcp-request connection accept if !abuse save
|
||||||
tcp-request connection reject if abuse kill
|
tcp-request connection reject if abuse kill
|
||||||
|
|
||||||
@ -8446,13 +8442,12 @@ src_inc_gpc0 <integer>
|
|||||||
src_inc_gpc0(<table>) <integer>
|
src_inc_gpc0(<table>) <integer>
|
||||||
Increments the first General Purpose Counter associated to the connection's
|
Increments the first General Purpose Counter associated to the connection's
|
||||||
source IPv4 address in the current proxy's stick-table or in the designated
|
source IPv4 address in the current proxy's stick-table or in the designated
|
||||||
stick-table, and returns its value. If the address is not found, an entry is
|
stick-table, and returns its new value. If the address is not found, an entry
|
||||||
created and 1 is returned. The test can also be used alone and always returns
|
is created and 1 is returned. This is typically used as a second ACL in an
|
||||||
true. This is typically used as a second ACL in an expression in order to
|
expression in order to mark a connection when a first ACL was verified :
|
||||||
mark a connection when a first ACL was verified :
|
|
||||||
|
|
||||||
acl abuse src_http_req_rate gt 10
|
acl abuse src_http_req_rate gt 10
|
||||||
acl kill src_inc_gpc0
|
acl kill src_inc_gpc0 gt 0
|
||||||
tcp-request connection reject if abuse kill
|
tcp-request connection reject if abuse kill
|
||||||
|
|
||||||
src_kbytes_in <integer>
|
src_kbytes_in <integer>
|
||||||
|
Loading…
Reference in New Issue
Block a user