HAProxy limit connections per IP – Here is how we do it
Are you looking for how to limit connections per IP in HAProxy? We can help you.
Rate limiting connections per IP can protect the servers from attacks like DDoS.
At the same time, this can be useful for the proper usage of the resource.
At Bobcares, we often get requests to limit connections using HAProxy, as a part of our Server Management Services.
Today, let’s see the possible ways by which our Support Engineers do this.
Why we need rate limiting in HAProxy?
HAProxy is an open-source proxy server. At the same time, it is a load balancer with high availability.
Rate limiting is a common practice that Server Administrators advice in order to secure a server. Because too many connections from a single IP can mostly be an attack like DDoS.
By limiting the number of allowable connections per IP, we can avoid this situation.
So let’s see how our Support Engineers do this for our customers.
How we limit connections per IP in HAProxy?
Usually, to change the HAProxy settings our Support Engineers edit its configuration. Let’s see the configuration change in this case. For rate-limiting an IP, we add the code which appears as,
Let’s have a closer look at this code. Here we limit the number of requests a client can make to 20 requests in 10s.
We use the stick-table directive to store that data regarding the IP. So it counts the HTTP requests made by the particular IP.
Then it tracks the request. For this, we defined the parameter, http-request track-sc0 src. And denies the IP, if it exceeds the specified limit as per the parameter http-request track-sc0 src.
If the stick table has no update, then it marks the inactivity. Later it returns to the state specified by the parameter, sc_http_req_rate.
Thus by properly defining the required parameters, we can rate-limit connections in HAProxy.
[Need assistance in securing servers using HAProxy? – We are available 24/7.]
In short, for securing servers we usually, limit connections per IP in HAProxy. Hence we avoid the possible risk of DDoS attacks. Today, we saw how our Support Engineers do this.