Welcome! Log In Create A New Profile

Advanced

IP rate limiting on EC2 and 100% CPU usage

Posted by Vladimir Mihailenco 
Vladimir Mihailenco
IP rate limiting on EC2 and 100% CPU usage
March 27, 2018 04:30PM
Hi,

I am using latest haproxy with EC2 elastic load balancer configured to
proxy TCP:443 <-> TCP:443 to support HTTP2. PROXY protocol is enabled to
get original IP address.

IP rate limiting is done using following config:

frontend fe_http
bind *:443 accept-proxy ssl crt ... no-sslv3 alpn h2,http/1.1

stick-table type ip size 256k expire 10s store http_req_rate(10s)
tcp-request inspect-delay 5s
# Must use "content" because of PROXY protocol.
tcp-request content track-sc0 src

acl check_http_req_rate sc0_http_req_rate ge 256
tcp-request content reject if check_http_req_rate
use_backend be_429_slow_down if check_http_req_rate

backend be_429_slow_down
errorfile 503 /etc/haproxy/errors/429.http

It works and is helpful until some point when haproxy consumes 100% CPU on
1 of 4 available cores and requests start failing. It can be that I need
better/more hardware, but I wonder if there is anything I can improve in my
config to lower CPU usage? Thanks in advance.
Sorry, only registered users may post in this forum.

Click here to login