7.3.3. Fetching samples at Layer 4



The layer 4 usually describes just the transport layer which in haproxy is closest to the connection, where no content is yet made available. The fetch methods described here are usable as low as the “tcp-request connection” rule sets unless they require some future information.

Those generally include TCP/IP addresses and ports, as well as elements from stick-tables related to the incoming connection. For retrieving a value from a sticky counters, the counter number can be explicitly set as 0, 1, or 2 using the pre-defined “sc0_”, “sc1_”, or “sc2_” prefix, or it can be specified as the first integer argument when using the “sc_” prefix. An optional table may be specified with the “sc*” form, in which case the currently tracked key will be looked up into this alternate table instead of the table currently being tracked.

be_id : integer
Returns an integer containing the current backend’s id. It can be used in frontends with responses to check which backend processed the request.

dst : ip
This is the destination IPv4 address of the connection on the client side, which is the address the client connected to. It can be useful when running in transparent mode. It is of type IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 address is mapped to its IPv6 equivalent, according to RFC 4291.

dst_conn : integer
Returns an integer value corresponding to the number of currently established connections on the same socket including the one being evaluated. It is normally used with ACLs but can as well be used to pass the information to servers in an HTTP header or in logs. It can be used to either return a sorry page before hard-blocking, or to use a specific backend to drain new requests when the socket is considered saturated. This offers the ability to assign different limits to different listening ports or addresses. See also the “fe_conn” and “be_conn” fetches.

dst_port : integer
Returns an integer value corresponding to the destination TCP port of the connection on the client side, which is the port the client connected to.
This might be used when running in transparent mode, when assigning dynamic ports to some clients for a whole application session, to stick all users to a same server, or to pass the destination port information to a server using an HTTP header.

fe_id : integer
Returns an integer containing the current frontend’s id. It can be used in backends to check from which backend it was called, or to stick all users coming via a same frontend to the same server.

sc_bytes_in_rate(< ctr> [,< table> ]) : integer
sc0_bytes_in_rate([< table> ]) : integer
sc1_bytes_in_rate([< table> ]) : integer
sc2_bytes_in_rate([< table> ]) : integer

Returns the average client-to-server bytes rate from the currently tracked counters, measured in amount of bytes over the period configured in the table. See also src_bytes_in_rate.

sc_bytes_out_rate(< ctr> [,< table> ]) : integer
sc0_bytes_out_rate([< table> ]) : integer
sc1_bytes_out_rate([< table> ]) : integer
sc2_bytes_out_rate([< table> ]) : integer

Returns the average server-to-client bytes rate from the currently tracked counters, measured in amount of bytes over the period configured in the table. See also src_bytes_out_rate.

sc_clr_gpc0(< ctr> [,< table> ]) : integer
sc0_clr_gpc0([< table> ]) : integer
sc1_clr_gpc0([< table> ]) : integer
sc2_clr_gpc0([< table> ]) : integer

Clears the first General Purpose Counter associated to the currently tracked counters, and returns its previous value. Before the first invocation, the stored value is zero, so first invocation will always return zero. This is typically used as a second ACL in an expression in order to mark a connection when a first ACL was verified :

 # block if 5 consecutive requests continue to come faster than 10 sess
        # per second, and reset the counter as soon as the traffic slows down.
        acl abuse sc0_http_req_rate gt 10
        acl kill  sc0_inc_gpc0 gt 5
        acl save  sc0_clr_gpc0 ge 0
        tcp-request connection accept if !abuse save
        tcp-request connection reject if abuse kill

sc_conn_cnt(< ctr> [,< table> ]) : integer
sc0_conn_cnt([< table> ]) : integer
sc1_conn_cnt([< table> ]) : integer
sc2_conn_cnt([< table> ]) : integer

Returns the cumulated number of incoming connections from currently tracked counters. See also src_conn_cnt.

sc_conn_cur(< ctr> [,< table> ]) : integer
sc0_conn_cur([< table> ]) : integer
sc1_conn_cur([< table> ]) : integer
sc2_conn_cur([< table> ]) : integer

Returns the current amount of concurrent connections tracking the same tracked counters. This number is automatically incremented when tracking begins and decremented when tracking stops. See also src_conn_cur.

sc_conn_rate(< ctr> [,< table> ]) : integer
sc0_conn_rate([< table> ]) : integer
sc1_conn_rate([< table> ]) : integer
sc2_conn_rate([< table> ]) : integer

Returns the average connection rate from the currently tracked counters, measured in amount of connections over the period configured in the table.
See also src_conn_rate.

sc_get_gpc0(< ctr> [,< table> ]) : integer
sc0_get_gpc0([< table> ]) : integer
sc1_get_gpc0([< table> ]) : integer
sc2_get_gpc0([< table> ]) : integer

Returns the value of the first General Purpose Counter associated to the currently tracked counters. See also src_get_gpc0 and sc/sc0/sc1/sc2_inc_gpc0.

sc_gpc0_rate(< ctr> [,< table> ]) : integer
sc0_gpc0_rate([< table> ]) : integer
sc1_gpc0_rate([< table> ]) : integer
sc2_gpc0_rate([< table> ]) : integer

Returns the average increment rate of the first General Purpose Counter associated to the currently tracked counters. It reports the frequency which the gpc0 counter was incremented over the configured period. See also src_gpc0_rate, sc/sc0/sc1/sc2_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0. Note that the “gpc0_rate” counter must be stored in the stick-table for a value to be returned, as “gpc0” only holds the event count.

sc_http_err_cnt(< ctr> [,< table> ]) : integer
sc0_http_err_cnt([< table> ]) : integer
sc1_http_err_cnt([< table> ]) : integer
sc2_http_err_cnt([< table> ]) : integer

Returns the cumulated number of HTTP errors from the currently tracked counters. This includes the both request errors and 4xx error responses.
See also src_http_err_cnt.

sc_http_err_rate(< ctr> [,< table> ]) : integer
sc0_http_err_rate([< table> ]) : integer
sc1_http_err_rate([< table> ]) : integer
sc2_http_err_rate([< table> ]) : integer

Returns the average rate of HTTP errors from the currently tracked counters, measured in amount of errors over the period configured in the table. This includes the both request errors and 4xx error responses. See also src_http_err_rate.

sc_http_req_cnt(< ctr> [,< table> ]) : integer
sc0_http_req_cnt([< table> ]) : integer
sc1_http_req_cnt([< table> ]) : integer
sc2_http_req_cnt([< table> ]) : integer

Returns the cumulated number of HTTP requests from the currently tracked counters. This includes every started request, valid or not. See also src_http_req_cnt.

sc_http_req_rate(< ctr> [,< table> ]) : integer
sc0_http_req_rate([< table> ]) : integer
sc1_http_req_rate([< table> ]) : integer
sc2_http_req_rate([< table> ]) : integer

Returns the average rate of HTTP requests from the currently tracked counters, measured in amount of requests over the period configured in the table. This includes every started request, valid or not. See also src_http_req_rate.

sc_inc_gpc0(< ctr> [,< table> ]) : integer
sc0_inc_gpc0([< table> ]) : integer
sc1_inc_gpc0([< table> ]) : integer
sc2_inc_gpc0([< table> ]) : integer

Increments the first General Purpose Counter associated to the currently tracked counters, and returns its new value. Before the first invocation, the stored value is zero, so first invocation will increase it to 1 and will return 1. This is typically used as a second ACL in an expression in order to mark a connection when a first ACL was verified :

        acl abuse sc0_http_req_rate gt 10
        acl kill  sc0_inc_gpc0 gt 0
        tcp-request connection reject if abuse kill

sc_kbytes_in(< ctr> [,< table> ]) : integer
sc0_kbytes_in([< table> ]) : integer
sc1_kbytes_in([< table> ]) : integer
sc2_kbytes_in([< table> ]) : integer

Returns the total amount of client-to-server data from the currently tracked counters, measured in kilobytes. The test is currently performed on 32-bit integers, which limits values to 4 terabytes. See also src_kbytes_in.

sc_kbytes_out(< ctr> [,< table> ]) : integer
sc0_kbytes_out([< table> ]) : integer
sc1_kbytes_out([< table> ]) : integer
sc2_kbytes_out([< table> ]) : integer

Returns the total amount of server-to-client data from the currently tracked counters, measured in kilobytes. The test is currently performed on 32-bit integers, which limits values to 4 terabytes. See also src_kbytes_out.

sc_sess_cnt(< ctr> [,< table> ]) : integer
sc0_sess_cnt([< table> ]) : integer
sc1_sess_cnt([< table> ]) : integer
sc2_sess_cnt([< table> ]) : integer

Returns the cumulated number of incoming connections that were transformed into sessions, which means that they were accepted by a “tcp-request connection” rule, from the currently tracked counters. A backend may count more sessions than connections because each connection could result in many backend sessions if some HTTP keep-alive is performed over the connection with the client. See also src_sess_cnt.

sc_sess_rate(< ctr> [,< table> ]) : integer
sc0_sess_rate([< table> ]) : integer
sc1_sess_rate([< table> ]) : integer
sc2_sess_rate([< table> ]) : integer

Returns the average session rate from the currently tracked counters, measured in amount of sessions over the period configured in the table. A session is a connection that got past the early “tcp-request connection” rules. A backend may count more sessions than connections because each connection could result in many backend sessions if some HTTP keep-alive is performed over the connection with the client. See also src_sess_rate.

sc_tracked(< ctr> [,< table> ]) : boolean
sc0_tracked([< table> ]) : boolean
sc1_tracked([< table> ]) : boolean
sc2_tracked([< table> ]) : boolean

Returns true if the designated session counter is currently being tracked by the current session. This can be useful when deciding whether or not we want to set some values in a header passed to the server.

sc_trackers(< ctr> [,< table> ]) : integer
sc0_trackers([< table> ]) : integer
sc1_trackers([< table> ]) : integer
sc2_trackers([< table> ]) : integer

Returns the current amount of concurrent connections tracking the same tracked counters. This number is automatically incremented when tracking begins and decremented when tracking stops. It differs from sc0_conn_cur in that it does not rely on any stored information but on the table’s reference count (the “use” value which is returned by “show table” on the CLI). This may sometimes be more suited for layer7 tracking. It can be used to tell a server how many concurrent connections there are from a given address for example.

so_id : integer
Returns an integer containing the current listening socket’s id. It is useful in frontends involving many “bind” lines, or to stick all users coming via a same socket to the same server.

src : ip
This is the source IPv4 address of the client of the session. It is of type IP and works on both IPv4 and IPv6 tables. On IPv6 tables, IPv4 addresses are mapped to their IPv6 equivalent, according to RFC 4291. Note that it is the TCP-level source address which is used, and not the address of a client behind a proxy. However if the “accept-proxy” bind directive is used, it can be the address of a client behind another PROXY-protocol compatible component for all rule sets except “tcp-request connection” which sees the real address.

Example:

# add an HTTP header in requests with the originating address' country
       http-request set-header X-Country %[src,map_ip(geoip.lst)]

src_bytes_in_rate([< table> ]) : integer
Returns the average bytes rate from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in amount of bytes over the period configured in the table. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_in_rate.

src_bytes_out_rate([< table> ]) : integer
Returns the average bytes rate to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in amount of bytes over the period configured in the table. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_bytes_out_rate.

src_clr_gpc0([< table> ]) : integer
Clears the first General Purpose Counter associated to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, and returns its previous value. If the address is not found, an entry is created and 0 is returned. This is typically used as a second ACL in an expression in order to mark a connection when a first ACL was verified :

# block if 5 consecutive requests continue to come faster than 10 sess
        # per second, and reset the counter as soon as the traffic slows down.
        acl abuse src_http_req_rate gt 10
        acl kill  src_inc_gpc0 gt 5
        acl save  src_clr_gpc0 ge 0
        tcp-request connection accept if !abuse save
        tcp-request connection reject if abuse kill

src_conn_cnt([< table> ]) : integer
Returns the cumulated number of connections initiated from the current incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_cnt.

src_conn_cur([< table> ]) : integer
Returns the current amount of concurrent connections initiated from the current incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_cur.

src_conn_rate([< table> ]) : integer
Returns the average connection rate from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in amount of connections over the period configured in the table. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_conn_rate.

src_get_gpc0([< table> ]) : integer
Returns the value of the first General Purpose Counter associated to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. If the address is not found, zero is returned.
See also sc/sc0/sc1/sc2_get_gpc0 and src_inc_gpc0.

src_gpc0_rate([< table> ]) : integer
Returns the average increment rate of the first General Purpose Counter associated to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. It reports the frequency which the gpc0 counter was incremented over the configured period. See also sc/sc0/sc1/sc2_gpc0_rate, src_get_gpc0, and sc/sc0/sc1/sc2_inc_gpc0.
Note that the “gpc0_rate” counter must be stored in the stick-table for a value to be returned, as “gpc0” only holds the event count.

src_http_err_cnt([< table> ]) : integer
Returns the cumulated number of HTTP errors from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. This includes the both request errors and 4xx error responses.
See also sc/sc0/sc1/sc2_http_err_cnt. If the address is not found, zero is returned.

src_http_err_rate([< table> ]) : integer
Returns the average rate of HTTP errors from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in amount of errors over the period configured in the table. This includes the both request errors and 4xx error responses. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_http_err_rate.

src_http_req_cnt([< table> ]) : integer
Returns the cumulated number of HTTP requests from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. This includes every started request, valid or not. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_cnt.

src_http_req_rate([< table> ]) : integer
Returns the average rate of HTTP requests from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in amount of requests over the period configured in the table. This includes every started request, valid or not. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_http_req_rate.

src_inc_gpc0([< table> ]) : integer
Increments the first General Purpose Counter associated to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, and returns its new value. If the address is not found, an entry is created and 1 is returned. See also sc0/sc2/sc2_inc_gpc0. This is typically used as a second ACL in an expression in order to mark a connection when a first ACL was verified :

acl abuse src_http_req_rate gt 10
        acl kill  src_inc_gpc0 gt 0
        tcp-request connection reject if abuse kill

src_kbytes_in([< table> ]) : integer
Returns the total amount of data received from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in kilobytes. If the address is not found, zero is returned. The test is currently performed on 32-bit integers, which limits values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_in.

src_kbytes_out([< table> ]) : integer
Returns the total amount of data sent to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in kilobytes. If the address is not found, zero is returned. The test is currently performed on 32-bit integers, which limits values to 4 terabytes. See also sc/sc0/sc1/sc2_kbytes_out.

src_port : integer
Returns an integer value corresponding to the TCP source port of the connection on the client side, which is the port the client connected from. Usage of this function is very limited as modern protocols do not care much about source ports nowadays.

src_sess_cnt([< table> ]) : integer
Returns the cumulated number of connections initiated from the incoming connection’s source IPv4 address in the current proxy’s stick-table or in the designated stick-table, that were transformed into sessions, which means that they were accepted by “tcp-request” rules. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_cnt.

src_sess_rate([< table> ]) : integer
Returns the average session rate from the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table, measured in amount of sessions over the period configured in the table. A session is a connection that went past the early “tcp-request” rules. If the address is not found, zero is returned. See also sc/sc0/sc1/sc2_sess_rate.

src_updt_conn_cnt([< table> ]) : integer
Creates or updates the entry associated to the incoming connection’s source address in the current proxy’s stick-table or in the designated stick-table. This table must be configured to store the “conn_cnt” data type, otherwise the match will be ignored. The current count is incremented by one, and the expiration timer refreshed. The updated count is returned, so this match can’t return zero. This was used to reject service abusers based on their source address. Note: it is recommended to use the more complete “track-sc*” actions in “tcp-request” rules instead.

Example :

# This frontend limits incoming SSH connections to 3 per 10 second for
        # each source address, and rejects excess connections until a 10 second
        # silence is observed. At most 20 addresses are tracked.
        listen ssh
            bind :22
            mode tcp
            maxconn 100
            stick-table type ip size 20 expire 10s store conn_cnt
            tcp-request content reject if { src_updt_conn_cnt gt 3 }
            server local 127.0.0.1:22

srv_id : integer
Returns an integer containing the server’s id when processing the response. While it’s almost only used with ACLs, it may be used for logging or debugging.

Share Button

Leave a Reply