From 869948b0623c50d5ab10f09f4b19c391ec67a942 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 4 Jan 2013 14:14:57 +0100 Subject: DOC: fix bogus recommendation on usage of gpc0 counter The doc pretends that src_inc_gpc0 may be used alone without an integer match, but this is false and has always been since its introduction in 1.5-dev1. If the ACL is called, the increment will be used, the value returned, but it will be matched against no value so the resulting ACL will never be true and the condition will not be met. This means that the following config : acl abuser src -f abusers.lst acl blacklist src_inc_gpc0 tcp-request connection reject if abuser blacklist Will never reject the connection and must be fixed this way : acl abuser src -f abusers.lst acl blacklist src_inc_gpc0 gt 0 tcp-request connection reject if abuser blacklist Note that clr_gpc0 is trickier, as it returns the previous value which might also be zero. Thus it's suggested to compare it against any positive value including zero : tcp-request connection accept if { src_clr_gpc0 ge 0 } Some arguments were missing on the sc1/sc2 forms of most ACLs including gpc0, so this has been fixed too. --- doc/configuration.txt | 107 ++++++++++++++++++++++++-------------------------- 1 file changed, 51 insertions(+), 56 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index c594db8..035da78 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -6375,7 +6375,7 @@ tcp-request content [{if | unless} ] # by SC2), block it globally in the frontend. stick-table type ip size 1m expire 5m store http_req_rate(10s) acl click_too_fast sc2_http_req_rate gt 10 - acl mark_as_abuser sc1_inc_gpc0 + acl mark_as_abuser sc1_inc_gpc0 gt 0 tcp-request content track-sc2 src tcp-request content reject if click_too_fast mark_as_abuser @@ -8120,7 +8120,6 @@ srv_sess_rate(/) acl srv2_full srv_sess_rate(be1/srv2) gt 50 use_backend be2 if srv1_full or srv2_full - connslots connslots() The basic idea here is to be able to measure the number of connection "slots" @@ -8214,112 +8213,110 @@ queue() One possible action could be to reject new users but still accept old ones. See also the "avg_queue", "be_conn", and "be_sess_rate" criteria. -sc1_bytes_in_rate -sc2_bytes_in_rate +sc1_bytes_in_rate +sc2_bytes_in_rate Returns the average client-to-server bytes rate from the currently tracked counters, measured in amount of bytes over the period configured in the table. See also src_bytes_in_rate. -sc1_bytes_out_rate -sc2_bytes_out_rate +sc1_bytes_out_rate +sc2_bytes_out_rate Returns the average server-to-client bytes rate from the currently tracked counters, measured in amount of bytes over the period configured in the table. See also src_bytes_out_rate. -sc1_clr_gpc0 -sc2_clr_gpc0 +sc1_clr_gpc0 +sc2_clr_gpc0 Clears the first General Purpose Counter associated to the currently tracked counters, and returns its previous value. Before the first invocation, the - stored value is zero, so first invocation will always return zero. The test - can also be used alone and always returns true. This is typically used as a - second ACL in an expression in order to mark a connection when a first ACL - was verified : + stored value is zero, so first invocation will always return zero. This is + typically used as a second ACL in an expression in order to mark a connection + when a first ACL was verified : # block if 5 consecutive requests continue to come faster than 10 sess # per second, and reset the counter as soon as the traffic slows down. acl abuse sc1_http_req_rate gt 10 acl kill sc1_inc_gpc0 gt 5 - acl save sc1_clr_gpc0 + acl save sc1_clr_gpc0 ge 0 tcp-request connection accept if !abuse save tcp-request connection reject if abuse kill -sc1_conn_cnt -sc2_conn_cnt +sc1_conn_cnt +sc2_conn_cnt Returns the cumulated number of incoming connections from currently tracked counters. See also src_conn_cnt. -sc1_conn_cur -sc2_conn_cur +sc1_conn_cur +sc2_conn_cur Returns the current amount of concurrent connections tracking the same tracked counters. This number is automatically incremented when tracking begins and decremented when tracking stops. See also src_conn_cur. -sc1_conn_rate -sc2_conn_rate +sc1_conn_rate +sc2_conn_rate Returns the average connection rate from the currently tracked counters, measured in amount of connections over the period configured in the table. See also src_conn_rate. -sc1_get_gpc0 -sc2_get_gpc0 +sc1_get_gpc0 +sc2_get_gpc0 Returns the value of the first General Purpose Counter associated to the currently tracked counters. See also src_get_gpc0 and sc1/sc2_inc_gpc0. -sc1_http_err_cnt -sc2_http_err_cnt +sc1_http_err_cnt +sc2_http_err_cnt Returns the cumulated number of HTTP errors from the currently tracked counters. This includes the both request errors and 4xx error responses. See also src_http_err_cnt. -sc1_http_err_rate -sc2_http_err_rate +sc1_http_err_rate +sc2_http_err_rate Returns the average rate of HTTP errors from the currently tracked counters, measured in amount of errors over the period configured in the table. This includes the both request errors and 4xx error responses. See also src_http_err_rate. -sc1_http_req_cnt -sc2_http_req_cnt +sc1_http_req_cnt +sc2_http_req_cnt Returns the cumulated number of HTTP requests from the currently tracked counters. This includes every started request, valid or not. See also src_http_req_cnt. -sc1_http_req_rate -sc2_http_req_rate +sc1_http_req_rate +sc2_http_req_rate Returns the average rate of HTTP requests from the currently tracked counters, measured in amount of requests over the period configured in the table. This includes every started request, valid or not. See also src_http_req_rate. -sc1_inc_gpc0 -sc2_inc_gpc0 +sc1_inc_gpc0 +sc2_inc_gpc0 Increments the first General Purpose Counter associated to the currently - tracked counters, and returns its value. Before the first invocation, the - stored value is zero, so first invocation will increase it to 1 and will - return 1. The test can also be used alone and always returns true. This is - typically used as a second ACL in an expression in order to mark a connection - when a first ACL was verified : + tracked counters, and returns its new value. Before the first invocation, + the stored value is zero, so first invocation will increase it to 1 and will + return 1. This is typically used as a second ACL in an expression in order + to mark a connection when a first ACL was verified : acl abuse sc1_http_req_rate gt 10 - acl kill sc1_inc_gpc0 + acl kill sc1_inc_gpc0 gt 0 tcp-request connection reject if abuse kill -sc1_kbytes_in -sc2_kbytes_in +sc1_kbytes_in +sc2_kbytes_in Returns the amount of client-to-server data from the currently tracked counters, measured in kilobytes over the period configured in the table. The test is currently performed on 32-bit integers, which limits values to 4 terabytes. See also src_kbytes_in. -sc1_kbytes_out -sc2_kbytes_out +sc1_kbytes_out +sc2_kbytes_out Returns the amount of server-to-client data from the currently tracked counters, measured in kilobytes over the period configured in the table. The test is currently performed on 32-bit integers, which limits values to 4 terabytes. See also src_kbytes_out. -sc1_sess_cnt -sc2_sess_cnt +sc1_sess_cnt +sc2_sess_cnt Returns the cumulated number of incoming connections that were transformed into sessions, which means that they were accepted by a "tcp-request connection" rule, from the currently tracked counters. A backend may count @@ -8327,8 +8324,8 @@ sc2_sess_cnt backend sessions if some HTTP keep-alive is performed over the connection with the client. See also src_sess_cnt. -sc1_sess_rate -sc2_sess_rate +sc1_sess_rate +sc2_sess_rate Returns the average session rate from the currently tracked counters, measured in amount of sessions over the period configured in the table. A session is a connection that got past the early "tcp-request connection" @@ -8336,8 +8333,8 @@ sc2_sess_rate connection could result in many backend sessions if some HTTP keep-alive is performed over the connection with the client. See also src_sess_rate. -sc1_trackers -sc2_trackers +sc1_trackers +sc2_trackers Returns the current amount of concurrent connections tracking the same tracked counters. This number is automatically incremented when tracking begins and decremented when tracking stops. It differs from sc1_conn_cur in @@ -8372,15 +8369,14 @@ src_clr_gpc0() Clears the first General Purpose Counter associated to the connection's source IPv4 address in the current proxy's stick-table or in the designated stick-table, and returns its previous value. If the address is not found, an - entry is created and 0 is returned. The test can also be used alone and - always returns true. This is typically used as a second ACL in an expression - in order to mark a connection when a first ACL was verified : + entry is created and 0 is returned. This is typically used as a second ACL in + an expression in order to mark a connection when a first ACL was verified : # block if 5 consecutive requests continue to come faster than 10 sess # per second, and reset the counter as soon as the traffic slows down. acl abuse src_http_req_rate gt 10 acl kill src_inc_gpc0 gt 5 - acl save src_clr_gpc0 + acl save src_clr_gpc0 ge 0 tcp-request connection accept if !abuse save tcp-request connection reject if abuse kill @@ -8446,13 +8442,12 @@ src_inc_gpc0 src_inc_gpc0(
) Increments the first General Purpose Counter associated to the connection's source IPv4 address in the current proxy's stick-table or in the designated - stick-table, and returns its value. If the address is not found, an entry is - created and 1 is returned. The test can also be used alone and always returns - true. This is typically used as a second ACL in an expression in order to - mark a connection when a first ACL was verified : + stick-table, and returns its new value. If the address is not found, an entry + is created and 1 is returned. This is typically used as a second ACL in an + expression in order to mark a connection when a first ACL was verified : acl abuse src_http_req_rate gt 10 - acl kill src_inc_gpc0 + acl kill src_inc_gpc0 gt 0 tcp-request connection reject if abuse kill src_kbytes_in -- 1.7.12.2.21.g234cd45.dirty