Hi, my company would like to hire someone for a few hours' worth of
consulting time to help us gut-check our haproxy configuration and set
up.
In particular, this is what we are trying to do:
We are trying to limit connections to our server by IP address, but
over a given time window for each IP. If it has connected in the last
5 minutes it is allowed to continue connecting, regardless of whether
the IP limit has been reached.
If it is a new IP, it is only allowed if the number of other IPs is
below the limit. So if an IP gets "in", as long as it continues to
connect at least once every 5 minutes it will always be allowed to
continue connecting.
I have set something up to do this using a secondary process to check the haproxy stick-table (via socat) for the number of entries (and the entries are tracked by IP and expired after 5minutes), and if the number of entries is greater than the limit this shuts down a Sinatra ruby app that is configured as a backend in haproxy's config...and the configured frontend has an ACL that checks whether that backend is down when deciding if it can allow in a new IP.
We'd like some expert eyes to look over this setup and suggest alternatives or improvements, and also suggestions for how to load test this setup to make sure it will work well at scale.
thanks,
Cory
Received on 2011/10/18 18:39
This archive was generated by hypermail 2.2.0 : 2011/10/18 18:45 CEST