haproxy-manager-base/templates/hap_backend.tpl


backend {{ name }}-backend
    option forwardfor
    http-request add-header X-CLIENT-IP %[src]
    {% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
    
    # Define scanning attempt patterns
    acl is_404_error status 404
    acl is_403_error status 403  
    acl is_401_error status 401
    acl is_400_error status 400
    acl is_scan_attempt status 400 401 403 404
    
    # Additional suspicious patterns
    acl suspicious_path path_reg -i \.(php|asp|aspx|jsp|cgi)$
    acl suspicious_path path_reg -i /(wp-admin|phpmyadmin|admin|login|xmlrpc)
    acl suspicious_path path_reg -i \.(env|git|svn|backup|bak|old)
    
    # Track scan attempts in the frontend stick table
    # This increments the counter AFTER the backend responds with an error
    # The frontend will check this counter on SUBSEQUENT requests
    http-response sc-inc-gpc0(0) if is_scan_attempt
    
    {% for server in servers %}
    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
    {% endfor %}
Not fully working, but saving progress 2025-02-19 07:53:26 -08:00
			`backend {{ name }}-backend`
			`option forwardfor`
			`http-request add-header X-CLIENT-IP %[src]`
haproxy manager 2025-02-20 13:41:38 -08:00			`{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}`
Add HAProxy tarpit escalation for exploit scanning protection Implement progressive tarpit delays and threat detection to slow down attackers scanning for exploits. Features include: - Stick table to track attacks with 2-hour expiry - Escalating tarpit delays based on threat level and repeat offenses - Threat level detection (low/medium/high/critical) based on scan attempts - Rate-based attack detection for burst/sustained/persistent attacks - Automatic scan attempt tracking via HTTP error responses (400/401/403/404) - Detection of suspicious paths (admin panels, config files, etc.) - Trusted network bypass for local/monitoring systems - Progressive escalation levels that increase tarpit duration - Critical threat blocking with 429 status The system uses HAProxy's built-in tarpit mechanism to delay responses up to 60 seconds for persistent attackers, effectively slowing down vulnerability scanners while maintaining service for legitimate users. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-23 18:09:28 -07:00
			`# Define scanning attempt patterns`
			`acl is_404_error status 404`
			`acl is_403_error status 403`
			`acl is_401_error status 401`
			`acl is_400_error status 400`
			`acl is_scan_attempt status 400 401 403 404`

			`# Additional suspicious patterns`
			`acl suspicious_path path_reg -i \.(php\|asp\|aspx\|jsp\|cgi)$`
			`acl suspicious_path path_reg -i /(wp-admin\|phpmyadmin\|admin\|login\|xmlrpc)`
			`acl suspicious_path path_reg -i \.(env\|git\|svn\|backup\|bak\|old)`

			`# Track scan attempts in the frontend stick table`
Fix tarpit to only apply AFTER backend error responses Corrected the tarpit logic flow to work as intended: 1. Backend tracks 400/401/403/404 error responses via http-response 2. Counter increments AFTER the backend responds with an error 3. Frontend checks counter on SUBSEQUENT requests 4. Tarpit/blocking only applies after error thresholds are reached: - 5+ errors: Potential scanner (no action yet) - 15+ errors: Likely scanner (tarpit if also burst traffic) - 30+ errors: Confirmed scanner (always tarpit) - 50+ errors: Aggressive scanner (block with 429) This ensures: - Normal traffic is never delayed - First requests always go through normally - Only clients that accumulate errors get progressively slowed/blocked - The tarpit is a response to bad behavior, not a preemptive measure 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-23 18:48:21 -07:00			`# This increments the counter AFTER the backend responds with an error`
			`# The frontend will check this counter on SUBSEQUENT requests`
Add HAProxy tarpit escalation for exploit scanning protection Implement progressive tarpit delays and threat detection to slow down attackers scanning for exploits. Features include: - Stick table to track attacks with 2-hour expiry - Escalating tarpit delays based on threat level and repeat offenses - Threat level detection (low/medium/high/critical) based on scan attempts - Rate-based attack detection for burst/sustained/persistent attacks - Automatic scan attempt tracking via HTTP error responses (400/401/403/404) - Detection of suspicious paths (admin panels, config files, etc.) - Trusted network bypass for local/monitoring systems - Progressive escalation levels that increase tarpit duration - Critical threat blocking with 429 status The system uses HAProxy's built-in tarpit mechanism to delay responses up to 60 seconds for persistent attackers, effectively slowing down vulnerability scanners while maintaining service for legitimate users. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-23 18:09:28 -07:00			`http-response sc-inc-gpc0(0) if is_scan_attempt`

Fix server configuration templates - add proper newlines between server entries 2025-07-13 01:21:19 -07:00			`{% for server in servers %}`
			`server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}`
			`{% endfor %}`
Fix Templates from causing errors with haproxy when added, Fix add notice when haproxy fails check 2025-02-21 06:28:51 -08:00