haproxy-manager-base/templates/hap_backend_basic.tpl


backend {{ name }}-backend
    option forwardfor
    # Pass the real client IP to backend (from proxy headers or direct connection)
    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
    http-request set-header X-Real-IP %[var(txn.real_ip)]
    
    # Define error status codes
    acl is_404_error status 404
    acl is_403_error status 403  
    acl is_401_error status 401
    acl is_400_error status 400
    
    # Define suspicious scan patterns - only these count as scan attempts
    acl scan_scripts path_reg -i \.(php|asp|aspx|jsp|cgi|pl|py|rb|sh|bash)$
    acl scan_admin path_reg -i /(wp-admin|wp-login|phpmyadmin|adminer|manager|admin-console)
    acl scan_configs path_reg -i \.(env|git|svn|htaccess|htpasswd|ini|conf|config|yml|yaml|toml)
    acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
    acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
    
    # Combine all scan patterns
    acl is_suspicious_request scan_scripts or scan_admin or scan_configs or scan_backups or scan_vulns
    
    # Define legitimate static assets that should NOT count
    acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
    acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
    
    # Only count suspicious 404s and auth failures
    acl is_scan_attempt is_suspicious_request is_404_error !legitimate_assets !legitimate_paths
    acl is_scan_attempt is_403_error !legitimate_assets !legitimate_paths
    acl is_scan_attempt is_401_error
    
    # Track scan attempts in the frontend stick table
    http-response sc-inc-gpc0(0) if is_scan_attempt
    
    {% for server in servers %}
    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
    {% endfor %}
Adding template overrides 2025-02-21 08:01:16 -08:00
			`backend {{ name }}-backend`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00			`option forwardfor`
			`# Pass the real client IP to backend (from proxy headers or direct connection)`
			`http-request add-header X-CLIENT-IP %[var(txn.real_ip)]`
			`http-request set-header X-Real-IP %[var(txn.real_ip)]`

Make scan detection more targeted to avoid false positives Major changes to prevent legitimate users from being blocked: 1. Increased thresholds significantly: - Initial trigger: 10 → 25 errors - Medium level: 20 → 40 errors - High level: 35 → 60 errors - Critical level: 50 → 100 errors 2. Only count actual scan attempts as errors: - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh - Admin paths: /wp-admin, /phpmyadmin, /adminer - Config files: .env, .git, .htaccess, .ini, .yml - Backup files: .backup, .bak, .sql, .dump - Known vulnerable paths: /cgi-bin, /fckeditor 3. Explicitly exclude legitimate assets from counting: - Images: .jpg, .png, .gif, .svg, .webp - Fonts: .woff, .woff2, .ttf, .eot, .otf - Static: .css, .js, .map, .pdf - Common paths: /static/, /assets/, /fonts/, /images/ 4. Still count all 401/403 errors (auth failures are suspicious) This prevents missing fonts, images, CSS files from triggering blocks while still catching actual vulnerability scanners. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-25 12:39:15 -07:00			`# Define error status codes`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00			`acl is_404_error status 404`
			`acl is_403_error status 403`
			`acl is_401_error status 401`
			`acl is_400_error status 400`

Make scan detection more targeted to avoid false positives Major changes to prevent legitimate users from being blocked: 1. Increased thresholds significantly: - Initial trigger: 10 → 25 errors - Medium level: 20 → 40 errors - High level: 35 → 60 errors - Critical level: 50 → 100 errors 2. Only count actual scan attempts as errors: - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh - Admin paths: /wp-admin, /phpmyadmin, /adminer - Config files: .env, .git, .htaccess, .ini, .yml - Backup files: .backup, .bak, .sql, .dump - Known vulnerable paths: /cgi-bin, /fckeditor 3. Explicitly exclude legitimate assets from counting: - Images: .jpg, .png, .gif, .svg, .webp - Fonts: .woff, .woff2, .ttf, .eot, .otf - Static: .css, .js, .map, .pdf - Common paths: /static/, /assets/, /fonts/, /images/ 4. Still count all 401/403 errors (auth failures are suspicious) This prevents missing fonts, images, CSS files from triggering blocks while still catching actual vulnerability scanners. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-25 12:39:15 -07:00			`# Define suspicious scan patterns - only these count as scan attempts`
			`acl scan_scripts path_reg -i \.(php\|asp\|aspx\|jsp\|cgi\|pl\|py\|rb\|sh\|bash)$`
			`acl scan_admin path_reg -i /(wp-admin\|wp-login\|phpmyadmin\|adminer\|manager\|admin-console)`
			`acl scan_configs path_reg -i \.(env\|git\|svn\|htaccess\|htpasswd\|ini\|conf\|config\|yml\|yaml\|toml)`
			`acl scan_backups path_reg -i \.(backup\|bak\|old\|orig\|save\|swp\|sql\|db\|dump\|tar\|zip\|rar\|7z)`
			`acl scan_vulns path_reg -i /(cgi-bin\|fckeditor\|tiny_mce\|ckfinder\|userfiles\|filemanager)`

			`# Combine all scan patterns`
			`acl is_suspicious_request scan_scripts or scan_admin or scan_configs or scan_backups or scan_vulns`

			`# Define legitimate static assets that should NOT count`
			`acl legitimate_assets path_reg -i \.(css\|js\|jpg\|jpeg\|png\|gif\|svg\|ico\|woff\|woff2\|ttf\|eot\|otf\|map\|webp\|mp4\|webm\|pdf)$`
			`acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/`

			`# Only count suspicious 404s and auth failures`
			`acl is_scan_attempt is_suspicious_request is_404_error !legitimate_assets !legitimate_paths`
			`acl is_scan_attempt is_403_error !legitimate_assets !legitimate_paths`
			`acl is_scan_attempt is_401_error`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00
			`# Track scan attempts in the frontend stick table`
			`http-response sc-inc-gpc0(0) if is_scan_attempt`

Fix server configuration templates - add proper newlines between server entries 2025-07-13 01:21:19 -07:00			`{% for server in servers %}`
			`server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}`
			`{% endfor %}`
Adding template overrides 2025-02-21 08:01:16 -08:00