如何设置 HAProxy 以在匹配查询字符串键值时断开连接?
How to setup HAProxy to drop connection on matching query string key value?
我已经在 Centos 7 上安装了 HAProxy 1.5.18。
在 /etc/haproxy/haproxy.cfg 我有以下行:
frontend free_api
bind *:80
stats uri /haproxy?stats
mode http
option forwardfor
acl key1 urlp(key) 12345
acl key2 urlp(key) 6789
http-request deny if key1
http-request deny if key2
# use_backend api if api
default_backend api
现在,URL 访问被拒绝查询字符串键匹配值为 12345 或 6789。 HAProxy returns 返回一个 403 Forbidden 状态码。
我正在寻找的是简单地断开连接,这样就不会向用户返回任何内容?如何在 HAProxy 中做到这一点?
谢谢。
使用 haproxy v1.6 及更高版本和指令 silent-drop
http-request silent-drop if key1
"silent-drop" : this stops the evaluation of the rules and makes the
client-facing connection suddenly disappear using a system-dependent way
that tries to prevent the client from being notified. The effect it then
that the client still sees an established connection while there's none
on HAProxy. The purpose is to achieve a comparable effect to "tarpit"
except that it doesn't use any local resource at all on the machine
running HAProxy. It can resist much higher loads than "tarpit", and slow
down stronger attackers. It is important to understand the impact of using
this mechanism. All stateful equipment placed between the client and
HAProxy (firewalls, proxies, load balancers) will also keep the
established connection for a long time and may suffer from this action.
On modern Linux systems running with enough privileges, the TCP_REPAIR
socket option is used to block the emission of a TCP reset. On other
systems, the socket's TTL is reduced to 1 so that the TCP reset doesn't
pass the first router, though it's still delivered to local networks. Do
not use it unless you fully understand how it works.
我已经在 Centos 7 上安装了 HAProxy 1.5.18。
在 /etc/haproxy/haproxy.cfg 我有以下行:
frontend free_api
bind *:80
stats uri /haproxy?stats
mode http
option forwardfor
acl key1 urlp(key) 12345
acl key2 urlp(key) 6789
http-request deny if key1
http-request deny if key2
# use_backend api if api
default_backend api
现在,URL 访问被拒绝查询字符串键匹配值为 12345 或 6789。 HAProxy returns 返回一个 403 Forbidden 状态码。
我正在寻找的是简单地断开连接,这样就不会向用户返回任何内容?如何在 HAProxy 中做到这一点?
谢谢。
使用 haproxy v1.6 及更高版本和指令 silent-drop
http-request silent-drop if key1
"silent-drop" : this stops the evaluation of the rules and makes the client-facing connection suddenly disappear using a system-dependent way that tries to prevent the client from being notified. The effect it then that the client still sees an established connection while there's none on HAProxy. The purpose is to achieve a comparable effect to "tarpit" except that it doesn't use any local resource at all on the machine running HAProxy. It can resist much higher loads than "tarpit", and slow down stronger attackers. It is important to understand the impact of using this mechanism. All stateful equipment placed between the client and HAProxy (firewalls, proxies, load balancers) will also keep the established connection for a long time and may suffer from this action. On modern Linux systems running with enough privileges, the TCP_REPAIR socket option is used to block the emission of a TCP reset. On other systems, the socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first router, though it's still delivered to local networks. Do not use it unless you fully understand how it works.