haproxy-manager-base/templates/hap_backend_basic.tpl


backend {{ name }}-backend
    option forwardfor
    # Pass the real client IP to backend (from proxy headers or direct connection)
    http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
    http-request set-header X-Real-IP %[var(txn.real_ip)]
    
    # Define scanning attempt patterns
    acl is_404_error status 404
    acl is_403_error status 403  
    acl is_401_error status 401
    acl is_400_error status 400
    acl is_scan_attempt status 400 401 403 404
    
    # Additional suspicious patterns
    acl suspicious_path path_reg -i \.(php|asp|aspx|jsp|cgi)$
    acl suspicious_path path_reg -i /(wp-admin|phpmyadmin|admin|login|xmlrpc)
    acl suspicious_path path_reg -i \.(env|git|svn|backup|bak|old)
    
    # Track scan attempts in the frontend stick table
    # This increments the counter AFTER the backend responds with an error
    # The frontend will check this counter on SUBSEQUENT requests
    http-response sc-inc-gpc0(0) if is_scan_attempt
    
    {% for server in servers %}
    server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
    {% endfor %}
Adding template overrides 2025-02-21 08:01:16 -08:00
			`backend {{ name }}-backend`
Update all backend templates with real IP forwarding and scan detection Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-08-24 06:59:26 -07:00			`option forwardfor`
			`# Pass the real client IP to backend (from proxy headers or direct connection)`
			`http-request add-header X-CLIENT-IP %[var(txn.real_ip)]`
			`http-request set-header X-Real-IP %[var(txn.real_ip)]`

			`# Define scanning attempt patterns`
			`acl is_404_error status 404`
			`acl is_403_error status 403`
			`acl is_401_error status 401`
			`acl is_400_error status 400`
			`acl is_scan_attempt status 400 401 403 404`

			`# Additional suspicious patterns`
			`acl suspicious_path path_reg -i \.(php\|asp\|aspx\|jsp\|cgi)$`
			`acl suspicious_path path_reg -i /(wp-admin\|phpmyadmin\|admin\|login\|xmlrpc)`
			`acl suspicious_path path_reg -i \.(env\|git\|svn\|backup\|bak\|old)`

			`# Track scan attempts in the frontend stick table`
			`# This increments the counter AFTER the backend responds with an error`
			`# The frontend will check this counter on SUBSEQUENT requests`
			`http-response sc-inc-gpc0(0) if is_scan_attempt`

Fix server configuration templates - add proper newlines between server entries 2025-07-13 01:21:19 -07:00			`{% for server in servers %}`
			`server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}`
			`{% endfor %}`
Adding template overrides 2025-02-21 08:01:16 -08:00