153 lines
6.5 KiB
Plaintext
153 lines
6.5 KiB
Plaintext
|
global
|
||
|
daemon
|
||
|
log stdout local0 info
|
||
|
chroot /var/lib/haproxy
|
||
|
stats socket /var/run/haproxy.sock mode 600 level admin
|
||
|
stats timeout 30s
|
||
|
user haproxy
|
||
|
group haproxy
|
||
|
|
||
|
# SSL/TLS settings if using HTTPS
|
||
|
ssl-default-bind-ciphers ECDHE+AESGCM:ECDHE+CHACHA20:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
|
||
|
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||
|
|
||
|
defaults
|
||
|
mode http
|
||
|
timeout connect 5000ms
|
||
|
timeout client 50000ms
|
||
|
timeout server 50000ms
|
||
|
timeout tarpit 60s # Maximum tarpit time
|
||
|
option httplog
|
||
|
option dontlognull
|
||
|
option log-health-checks
|
||
|
retries 3
|
||
|
|
||
|
# Error files (optional - customize as needed)
|
||
|
errorfile 400 /usr/local/etc/haproxy/errors/400.http
|
||
|
errorfile 403 /usr/local/etc/haproxy/errors/403.http
|
||
|
errorfile 408 /usr/local/etc/haproxy/errors/408.http
|
||
|
errorfile 500 /usr/local/etc/haproxy/errors/500.http
|
||
|
errorfile 502 /usr/local/etc/haproxy/errors/502.http
|
||
|
errorfile 503 /usr/local/etc/haproxy/errors/503.http
|
||
|
errorfile 504 /usr/local/etc/haproxy/errors/504.http
|
||
|
|
||
|
frontend web_frontend
|
||
|
bind *:80
|
||
|
bind *:443 ssl crt /etc/ssl/certs/haproxy.pem
|
||
|
|
||
|
# Stick table for tracking attacks with escalating timeouts
|
||
|
# gpc0 = total scan attempts
|
||
|
# gpc1 = escalation level (0=none, 1=level1, 2=level2, 3=level3)
|
||
|
# gpc2 = total tarpit/block actions taken
|
||
|
stick-table type ip size 200k expire 2h store gpc0,gpc1,gpc2,http_err_rate(30s),http_err_rate(300s),http_err_rate(3600s)
|
||
|
|
||
|
# Whitelist trusted networks and monitoring systems
|
||
|
acl trusted_networks src 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
|
||
|
acl monitoring_systems src -f /etc/haproxy/monitoring_ips.txt
|
||
|
acl health_check path_beg /health /ping /status /.well-known/
|
||
|
|
||
|
# Allow trusted traffic to bypass all protection
|
||
|
http-request allow if trusted_networks or monitoring_systems or health_check
|
||
|
|
||
|
# Define threat levels based on scan attempts and rates
|
||
|
acl low_threat sc_get_gpc0(0) ge 3 sc_get_gpc0(0) lt 10
|
||
|
acl medium_threat sc_get_gpc0(0) ge 10 sc_get_gpc0(0) lt 25
|
||
|
acl high_threat sc_get_gpc0(0) ge 25 sc_get_gpc0(0) lt 50
|
||
|
acl critical_threat sc_get_gpc0(0) ge 50
|
||
|
|
||
|
# Rate-based detection (burst attacks)
|
||
|
acl burst_attack sc_http_err_rate(0,30s) gt 8 # >8 errors in 30 seconds
|
||
|
acl sustained_attack sc_http_err_rate(0,300s) gt 3 # >3 errors/min for 5 minutes
|
||
|
acl persistent_attack sc_http_err_rate(0,3600s) gt 1 # >1 error/min for 1 hour
|
||
|
|
||
|
# Escalation levels (tracks how many times we've escalated this IP)
|
||
|
acl escalation_level_0 sc_get_gpc1(0) eq 0
|
||
|
acl escalation_level_1 sc_get_gpc1(0) eq 1
|
||
|
acl escalation_level_2 sc_get_gpc1(0) eq 2
|
||
|
acl escalation_level_3 sc_get_gpc1(0) ge 3
|
||
|
|
||
|
# ESCALATING TARPIT RULES
|
||
|
# Level 1: Short tarpit (2-5 seconds) for first offense
|
||
|
http-request tarpit timeout 2s if low_threat escalation_level_0
|
||
|
http-request tarpit timeout 3s if medium_threat escalation_level_0
|
||
|
http-request tarpit timeout 5s if burst_attack escalation_level_0
|
||
|
|
||
|
# Level 2: Medium tarpit (8-15 seconds) for second offense
|
||
|
http-request tarpit timeout 8s if low_threat escalation_level_1
|
||
|
http-request tarpit timeout 12s if medium_threat escalation_level_1
|
||
|
http-request tarpit timeout 15s if high_threat escalation_level_1
|
||
|
http-request tarpit timeout 10s if sustained_attack escalation_level_1
|
||
|
|
||
|
# Level 3: Long tarpit (20-45 seconds) for repeat offenders
|
||
|
http-request tarpit timeout 20s if low_threat escalation_level_2
|
||
|
http-request tarpit timeout 30s if medium_threat escalation_level_2
|
||
|
http-request tarpit timeout 45s if high_threat escalation_level_2
|
||
|
http-request tarpit timeout 25s if persistent_attack escalation_level_2
|
||
|
|
||
|
# Level 4: Maximum tarpit (60 seconds) for persistent attackers
|
||
|
http-request tarpit timeout 60s if escalation_level_3
|
||
|
|
||
|
# Complete block for critical threats regardless of escalation level
|
||
|
http-request deny deny_status 429 if critical_threat
|
||
|
|
||
|
# Increment escalation level when we apply tarpit/block
|
||
|
http-request sc-inc-gpc1(0) if low_threat or medium_threat or high_threat or burst_attack or sustained_attack or persistent_attack
|
||
|
http-request sc-inc-gpc2(0) if low_threat or medium_threat or high_threat or critical_threat or burst_attack or sustained_attack or persistent_attack
|
||
|
|
||
|
# Capture useful headers for logging
|
||
|
capture request header User-Agent len 150
|
||
|
capture request header X-Forwarded-For len 30
|
||
|
capture request header Referer len 100
|
||
|
|
||
|
# Enhanced logging format with protection metrics
|
||
|
log-format "%ci:%cp [%t] %ft %b/%s %Tq/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS \"%r\" \"%[capture.req.hdr(0)]\" gpc0:%[sc_get_gpc0(0)] gpc1:%[sc_get_gpc1(0)] gpc2:%[sc_get_gpc2(0)] err_rate_30s:%[sc_http_err_rate(0,30s)]"
|
||
|
|
||
|
# Redirect HTTP to HTTPS (optional)
|
||
|
redirect scheme https if !{ ssl_fc }
|
||
|
|
||
|
default_backend web_servers
|
||
|
|
||
|
backend web_servers
|
||
|
balance roundrobin
|
||
|
option httpchk GET /health HTTP/1.1\r\nHost:\ localhost
|
||
|
|
||
|
# Define scanning attempt patterns
|
||
|
acl is_404_error status 404
|
||
|
acl is_403_error status 403
|
||
|
acl is_401_error status 401
|
||
|
acl is_400_error status 400
|
||
|
acl is_scan_attempt status 400 401 403 404
|
||
|
|
||
|
# Additional suspicious patterns (optional)
|
||
|
acl suspicious_path path_reg -i \.(php|asp|aspx|jsp|cgi)$
|
||
|
acl suspicious_path path_reg -i /(wp-admin|phpmyadmin|admin|login|xmlrpc)
|
||
|
acl suspicious_path path_reg -i \.(env|git|svn|backup|bak|old)
|
||
|
|
||
|
# Track scan attempts in the frontend stick table
|
||
|
http-response sc-inc-gpc0(0) if is_scan_attempt
|
||
|
|
||
|
# Optional: Track suspicious paths even if they return 200
|
||
|
# http-response sc-inc-gpc0(0) if suspicious_path
|
||
|
|
||
|
# Optional: Different weights for different error types
|
||
|
# http-response sc-add-gpc0(0) 2 if is_403_error # 403s count as 2 points
|
||
|
# http-response sc-add-gpc0(0) 3 if is_401_error # 401s count as 3 points
|
||
|
|
||
|
# Server definitions - adjust as needed
|
||
|
server web1 backend-server-1:80 check maxconn 200 weight 100
|
||
|
server web2 backend-server-2:80 check maxconn 200 weight 100
|
||
|
# server web3 backend-server-3:80 check maxconn 200 weight 100
|
||
|
|
||
|
# Optional: Stats page for monitoring
|
||
|
frontend stats
|
||
|
bind *:8404
|
||
|
# Restrict access to stats page
|
||
|
acl allowed_ips src 127.0.0.1 192.168.0.0/16 10.0.0.0/8
|
||
|
http-request allow if allowed_ips
|
||
|
http-request deny
|
||
|
|
||
|
stats enable
|
||
|
stats uri /stats
|
||
|
stats refresh 30s
|
||
|
stats show-legends
|
||
|
stats show-node
|