HAProxy Enterprise Documentation 1.8r2

Rate limit HTTP requests by URL

You can assign distinct rate limits to individual URLs and pages in your web application. This type of configuration can be useful when different pages require different amounts of processing time, and thus can handle a different number of concurrent users. This configuration uses a map file to associate different rate limits to different URLs in your web application.

  1. In the /etc/hapee-1.8 directory, create a file called rates.map.

  2. In the file, list the URL paths and rate thresholds, for example:

    /urla  10
    /urlb  20
    /urlc  30
  3. Update the proxy configuration to include the stick-table and http-request track directives shown below:

    frontend website
        bind :80
        stick-table  type binary  len 20  size 100k  expire 10s  store http_req_rate(10s)
        # Track client by base32+src (Host header + URL path + src IP)
        http-request track-sc0 base32+src

    The stick table has a key of binary to match the tracked value generated by the http-request track-sc0 base32+src directive, which is a hash of the HTTP Host header, the URL path, and the client's source IP address. This key allows us to differentiate request rates across all different web pages.

  4. Add the following http-request set-var directive to retrieve the rate limit threshold from the rates.map file:

    # Check map file to get rate limit for path
    http-request set-var(req.rate_limit)  path,map_beg(/etc/hapee-1.8/rates.map,20)

    This directive finds the request rate threshold in the rates.map file for the current URL path being requested. If the URL is not in the map file, a default value of 20 is used. The resulting threshold value is stored in the variable req.rate_limit.

  5. Add the following http-request set-var directive to record the client's request rate:

    # Client's request rate is tracked
    http-request set-var(req.request_rate)  base32+src,table_http_req_rate()
  6. Create an ACL named rate_abuse that is set to true if the client request rate is greater than the rate limit threshold.

    # Subtract the current request rate from the limit
    # If less than zero, set rate_abuse to true
    acl rate_abuse var(req.rate_limit),sub(req.request_rate) lt 0
  7. If the threshold is exceeded, deny the request.

    # Deny if rate abuse
    http-request deny deny_status 429 if rate_abuse
    default_backend servers

Next up

Rate limit HTTP requests by URL parameter