-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathhaproxy.cfg
executable file
·67 lines (48 loc) · 2.1 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
global
maxconn 20000
log 127.0.0.1 local0
user haproxy
chroot /usr/share/haproxy
pidfile /run/haproxy.pid
stats socket /var/run/haproxy.stat
lua-load /etc/haproxy/botnet_challenge.lua
lua-load /etc/haproxy/botnet_verify_otp.lua
daemon
frontend main
bind :80
mode http
acl staticfiles path_end -f /etc/haproxy/map.d/staticfiles.map
acl ip_greylist src,map_ip(/etc/haproxy/map.d/greylist.map) -m found
stick-table type ip size 1m expire 24h store gpc0,gpc1,gpt0,http_req_rate(10s)
#track all request but not assets
http-request track-sc0 src table main if !staticfiles
#track ip-useragent only if cookie MyKey is sent
http-request set-header X-Concat %[src]_%[req.fhdr(User-Agent)] if { req.cook(MyKey) -m found }
http-request track-sc1 req.fhdr(X-Concat) table authcookie if { req.cook(MyKey) -m found }
#verify otp
http-request set-var(req.authcookie) req.cook(MyKey)
http-request set-var(req.alreadyauth) sc1_get_gpt0
http-request set-var(req.useragent) req.fhdr(user-agent)
acl authok lua.botnet_verify_otp(req.authcookie,req.alreadyauth,req.useragent) -m bool
#flag gpt=1 in authcookie table with ip/useragent as key if auth is ok
http-request sc-set-gpt0(1) 1 if authok
#increase gpc1 for each challenge display for greylist
http-request sc-inc-gpc1(0) if !authok ip_greylist
#display challenge for 10 first requests
http-request use-service lua.botnet_challenge if !authok ip_greylist { src_get_gpc1(FO) lt 10 }
# tarpit if detected more than 10 challenge display
use_backend tarpit if { src_get_gpc1(main) gt 10 }
# tarpit if waf have detected more than 10 attack, even if authok
use_backend tarpit if { src_get_gpc0(main) gt 10 }
default_backend app
backend authcookie
stick-table type string len 250 size 1m expire 12h store gpt0
backend app
mode http
balance roundrobin
timeout connect 5s
timeout server 30s
timeout queue 30s
backend honeypot
mode http
http-request tarpit