haproxy execution of lines after http-request deny line stopped or not?

id flag

I'm very much confused and unable to find the answer: what would cause to stop execution of config lines in haproxy or would all be executed and evaluated at the end?

I was under the impression that an if an conditional http-request deny [...] would trigger, it would stop execution right there, but then some examples don't make any sense.

Example (from haproxy docs):

frontend fe_main
   bind :80

   # define stick table
   stick-table  type ip  size 100k  expire 24h  store http_req_rate(5s),gpc0,gpt0

   # begin tracking requests where the key in the table
   # is the client's source IP
   http-request track-sc0 src

   # has the client exceeded 20 requests in 5 seconds?
   acl exceeds_rate_limit sc_http_req_rate(0) gt 20

   # flag them if they exceeded the limit
   http-request sc-set-gpt0(0) 1 if exceeds_rate_limit

   # if they exceeded the limit 3 times, mark them as a known speeder
   acl known_speeder sc_get_gpc0(0) ge 3

   # deny all clients that exceed the limit or are known speeders
   http-request deny deny_status 429 if exceeds_rate_limit || known_speeder

   # count each time they exceed the limit if they were flagged
   acl issue_speeding_ticket sc_get_gpt0(0) eq 1
   http-request sc-inc-gpc0(0) if issue_speeding_ticket

   # reset the flag
   http-request sc-set-gpt0(0) 0

   default_backend be_servers

If http-request deny would stop execution (as I thought it would), then for two cases this won't work as intended, right?

  • If the client is sending a sustained over-limit load of HTTP requests, the acl exceeds_rate_limit evaluates to true so the http-request deny will make the sc-inc-gpc0 line unreachable and no speeding ticket will be issued.
  • If the client exceeds the rate limit and then stops forever, no speeding ticket will be issued, because the last request was denied, similar to the former case.
  • If the client exceeds the rate limit and then slows down to not exceed the limit any longer (and thus behaves again) the speeding ticket will be issued. This is the reverse of what I would have expect to happen.

If http-request deny does not stop execution, then it's very ambiguous about what would happen to the request? What if another http-request line matches; will the last one win?

The bigger picture here is that I'm trying to accomplish something similar to the example use case. I need a table that list how many times a source IP hit the rate limit (but just counted once for maintaining a state of exceeding the rate limit).

I fail to find an authoritative source about rule execution order in haproxy configuration files in the documentation. Perhaps I'm missing something.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.