Move HTTP limiting to HTTPtables

[krizhanovsky]

Scope

Particular protected domains (vhosts) may have specific rules to block or pass traffic by specific rule, for example:

1. block all the traffic from particular regions (GeoIP is frequently used for DDoS mitigation) with custom HTTP status code;
2. apply a rate limit only to requests to a prticular URL prefix and from particular geo region;

We already able to specify per-vhost rate limits, white lists, and use vhosts in HTTPtables. So now (please write a configuration examples in appropriate Wikis) we can do following:

• set mark is HTTPtables rule for a particular HTTP field value and use the mark for whilelist_mark rule (please ensure that HTTPtalbes work before whilelist_mark)

• send HTTP errors (this is the subject for HTTPtables blocking action ignores block_action directive #1453 ) on HTTPtables block action, but custon status codes are still in TODO for Custom HTTP status codes for block action #1063.

So the first scenario can be satisfied in 0.7 using nftables GeoIP extension. The second scenario requires only integration between the rate limiting and HTTPtables, i.e. we only need to move http limiting to HTTP tables to be able to write following rules (scenario 2):

srv_group default { server 1.1.1.1; }
vhost app { proxy_pass default; }

http_chain geo_limit {
    uri != "/heavy_dynamic/*" -> app;
    -> request_rate 5;                  # 5 requests per second
}

http_chain {
    mark  == 1 -> geo_limit;   # there is match in netfilter GeoIP
    -> app;                              # pass to the application
}

The limiting logic is treated as current ACTION for HTTPtables.

Testing

The exact list of functional tests is TBD