I'm very much confused and unable to find the answer: what would cause to stop execution of config lines in haproxy or would all be executed and evaluated at the end?
I was under the impression that an if an conditional
http-request deny [...] would trigger, it would stop execution right there, but then some examples don't make any sense.
Example (from haproxy docs):
# define stick table
stick-table type ip size 100k expire 24h store http_req_rate(5s),gpc0,gpt0
# begin tracking requests where the key in the table
# is the client's source IP
http-request track-sc0 src
# has the client exceeded 20 requests in 5 seconds?
acl exceeds_rate_limit sc_http_req_rate(0) gt 20
# flag them if they exceeded the limit
http-request sc-set-gpt0(0) 1 if exceeds_rate_limit
# if they exceeded the limit 3 times, mark them as a known speeder
acl known_speeder sc_get_gpc0(0) ge 3
# deny all clients that exceed the limit or are known speeders
http-request deny deny_status 429 if exceeds_rate_limit || known_speeder
# count each time they exceed the limit if they were flagged
acl issue_speeding_ticket sc_get_gpt0(0) eq 1
http-request sc-inc-gpc0(0) if issue_speeding_ticket
# reset the flag
http-request sc-set-gpt0(0) 0
http-request deny would stop execution (as I thought it would), then for two cases this won't work as intended, right?
- If the client is sending a sustained over-limit load of HTTP requests, the acl
exceeds_rate_limit evaluates to true so the
http-request deny will make the
sc-inc-gpc0 line unreachable and no speeding ticket will be issued.
- If the client exceeds the rate limit and then stops forever, no speeding ticket will be issued, because the last request was denied, similar to the former case.
- If the client exceeds the rate limit and then slows down to not exceed the limit any longer (and thus behaves again) the speeding ticket will be issued. This is the reverse of what I would have expect to happen.
http-request deny does not stop execution, then it's very ambiguous about what would happen to the request? What if another
http-request line matches; will the last one win?
The bigger picture here is that I'm trying to accomplish something similar to the example use case. I need a table that list how many times a source IP hit the rate limit (but just counted once for maintaining a state of exceeding the rate limit).
I fail to find an authoritative source about rule execution order in haproxy configuration files in the documentation. Perhaps I'm missing something.