haproxy-manager-base/templates/hap_backend_basic.tpl


backend {{ name }}-backend
    option forwardfor
    # Pass the real client IP to backend (from proxy headers or direct connection)
    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
    http-request set-header X-Real-IP %[var(txn.real_ip)]
    
    # Define error status codes
    acl is_404_error status 404
    acl is_403_error status 403  
    acl is_401_error status 401
    acl is_400_error status 400
    
    # Define suspicious scan patterns - only these count as scan attempts
    acl scan_scripts path_reg -i \.(php|asp|aspx|jsp|cgi|pl|py|rb|sh|bash)$
    acl scan_admin path_reg -i /(wp-admin|wp-login|phpmyadmin|adminer|manager|admin-console)
    acl scan_configs path_reg -i \.(env|git|svn|htaccess|htpasswd|ini|conf|config|yml|yaml|toml)
    acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
    acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
    
    # Define legitimate static assets that should NOT count
    acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
    acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
    
    # Track scan attempts in the frontend stick table
    # Only count suspicious 404s and auth failures
    http-response sc-inc-gpc0(0) if scan_scripts is_404_error !legitimate_assets !legitimate_paths
    http-response sc-inc-gpc0(0) if scan_admin is_404_error !legitimate_assets !legitimate_paths
    http-response sc-inc-gpc0(0) if scan_configs is_404_error !legitimate_assets !legitimate_paths
    http-response sc-inc-gpc0(0) if scan_backups is_404_error !legitimate_assets !legitimate_paths
    http-response sc-inc-gpc0(0) if scan_vulns is_404_error !legitimate_assets !legitimate_paths
    http-response sc-inc-gpc0(0) if is_403_error !legitimate_assets !legitimate_paths
    http-response sc-inc-gpc0(0) if is_401_error
    
    {% for server in servers %}
    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
    {% endfor %}
Adding template overrides 2025-02-21 08:01:16 -08:00
			`backend {{ name }}-backend`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00			`option forwardfor`
			`# Pass the real client IP to backend (from proxy headers or direct connection)`
			`http-request add-header X-CLIENT-IP %[var(txn.real_ip)]`
			`http-request set-header X-Real-IP %[var(txn.real_ip)]`

Make scan detection more targeted to avoid false positives Major changes to prevent legitimate users from being blocked: 1. Increased thresholds significantly: - Initial trigger: 10 → 25 errors - Medium level: 20 → 40 errors - High level: 35 → 60 errors - Critical level: 50 → 100 errors 2. Only count actual scan attempts as errors: - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh - Admin paths: /wp-admin, /phpmyadmin, /adminer - Config files: .env, .git, .htaccess, .ini, .yml - Backup files: .backup, .bak, .sql, .dump - Known vulnerable paths: /cgi-bin, /fckeditor 3. Explicitly exclude legitimate assets from counting: - Images: .jpg, .png, .gif, .svg, .webp - Fonts: .woff, .woff2, .ttf, .eot, .otf - Static: .css, .js, .map, .pdf - Common paths: /static/, /assets/, /fonts/, /images/ 4. Still count all 401/403 errors (auth failures are suspicious) This prevents missing fonts, images, CSS files from triggering blocks while still catching actual vulnerability scanners. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-25 12:39:15 -07:00			`# Define error status codes`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00			`acl is_404_error status 404`
			`acl is_403_error status 403`
			`acl is_401_error status 401`
			`acl is_400_error status 400`

Make scan detection more targeted to avoid false positives Major changes to prevent legitimate users from being blocked: 1. Increased thresholds significantly: - Initial trigger: 10 → 25 errors - Medium level: 20 → 40 errors - High level: 35 → 60 errors - Critical level: 50 → 100 errors 2. Only count actual scan attempts as errors: - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh - Admin paths: /wp-admin, /phpmyadmin, /adminer - Config files: .env, .git, .htaccess, .ini, .yml - Backup files: .backup, .bak, .sql, .dump - Known vulnerable paths: /cgi-bin, /fckeditor 3. Explicitly exclude legitimate assets from counting: - Images: .jpg, .png, .gif, .svg, .webp - Fonts: .woff, .woff2, .ttf, .eot, .otf - Static: .css, .js, .map, .pdf - Common paths: /static/, /assets/, /fonts/, /images/ 4. Still count all 401/403 errors (auth failures are suspicious) This prevents missing fonts, images, CSS files from triggering blocks while still catching actual vulnerability scanners. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-25 12:39:15 -07:00			`# Define suspicious scan patterns - only these count as scan attempts`
			`acl scan_scripts path_reg -i \.(php\|asp\|aspx\|jsp\|cgi\|pl\|py\|rb\|sh\|bash)$`
			`acl scan_admin path_reg -i /(wp-admin\|wp-login\|phpmyadmin\|adminer\|manager\|admin-console)`
			`acl scan_configs path_reg -i \.(env\|git\|svn\|htaccess\|htpasswd\|ini\|conf\|config\|yml\|yaml\|toml)`
			`acl scan_backups path_reg -i \.(backup\|bak\|old\|orig\|save\|swp\|sql\|db\|dump\|tar\|zip\|rar\|7z)`
			`acl scan_vulns path_reg -i /(cgi-bin\|fckeditor\|tiny_mce\|ckfinder\|userfiles\|filemanager)`

			`# Define legitimate static assets that should NOT count`
			`acl legitimate_assets path_reg -i \.(css\|js\|jpg\|jpeg\|png\|gif\|svg\|ico\|woff\|woff2\|ttf\|eot\|otf\|map\|webp\|mp4\|webm\|pdf)$`
			`acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/`

Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00			`# Track scan attempts in the frontend stick table`
Fix HAProxy ACL syntax errors in backend templates - Remove invalid ACL combination syntax (can't use 'or' to combine ACLs) - Use multiple http-response lines instead (each line is OR'd together) - Each line checks specific scan pattern with 404 AND not legitimate assets - Simplify logic to be HAProxy 3.0 compatible This fixes the config parsing errors while maintaining the same detection logic - only counting suspicious script/config 404s, not missing assets. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-25 12:45:13 -07:00			`# Only count suspicious 404s and auth failures`
			`http-response sc-inc-gpc0(0) if scan_scripts is_404_error !legitimate_assets !legitimate_paths`
			`http-response sc-inc-gpc0(0) if scan_admin is_404_error !legitimate_assets !legitimate_paths`
			`http-response sc-inc-gpc0(0) if scan_configs is_404_error !legitimate_assets !legitimate_paths`
			`http-response sc-inc-gpc0(0) if scan_backups is_404_error !legitimate_assets !legitimate_paths`
			`http-response sc-inc-gpc0(0) if scan_vulns is_404_error !legitimate_assets !legitimate_paths`
			`http-response sc-inc-gpc0(0) if is_403_error !legitimate_assets !legitimate_paths`
			`http-response sc-inc-gpc0(0) if is_401_error`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00
Fix server configuration templates - add proper newlines between server entries 2025-07-13 01:21:19 -07:00			`{% for server in servers %}`
			`server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}`
			`{% endfor %}`
Adding template overrides 2025-02-21 08:01:16 -08:00