HAProxy Enterprise Documentation 2.2r1

Tarpit

You can tarpit a client's HTTP request, which stalls the request for a period of time before returning an error response. This is often used to deter a malicious bot army, since it ties up bots so that they cannot immediatley retry their requests.

In the example below, we use http-request tarpit to tarpit the client if they exceed a rate limit. Use timeout tarpit to set how long HAProxy Enterprise waits before returning an error response:

frontend www
   bind :80

   stick-table  type ip  size 100k  expire 30s  store http_req_rate(10s)
   http-request track-sc0 src
   timeout tarpit 10s
   http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 20 }

   default_backend webservers

Next up

Single Sign-on