cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cf4eb5092c2b4627fbf7b0f19a90287b2edfb365
haproxy-manager-base/templates/hap_header.tpl

73 lines
2.4 KiB
Smarty
Raw Normal View History

Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
Add DNS resolver for automatic container IP re-resolution When Docker containers restart, they can get new IPs on the bridge network. HAProxy caches DNS at config load time, so stale IPs cause 503s until config is regenerated. Added a 'docker_dns' resolvers section pointing to Docker's embedded DNS (127.0.0.11) with 10s hold time. Backend servers now use 'resolvers docker_dns init-addr last,libc,none' so HAProxy: - Re-resolves container names every 10 seconds - Falls back to last known IP if DNS is temporarily unavailable - Starts even if a backend can't be resolved yet (init-addr none) This eliminates 503s from container restarts, scaling, and recreation without requiring a HAProxy config regeneration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 22:27:07 -07:00
# DNS resolver for Docker container name resolution
# Re-resolves backend server addresses so container IP changes
# (from restarts, recreations, scaling) are picked up automatically
resolvers docker_dns
nameserver dns1 127.0.0.11:53
resolve_retries 3
timeout resolve 1s
timeout retry 1s
hold valid 10s
hold other 10s
hold refused 10s
hold nx 10s
hold timeout 10s
hold obsolete 10s
Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
Remove ACL-based security protections to eliminate false positives This commit simplifies the HAProxy configuration by removing automatic threat detection and blocking rules while preserving essential functionality. Changes: - Removed all automatic ACL-based security rules (SQL injection detection, scanner detection, rate limiting, brute force protection, etc.) - Removed complex stick-table tracking with 15 GPC counters - Removed graduated threat response system (tarpit, deny based on threat scores) - Removed HTTP/2 security tuning parameters specific to threat detection - Commented out IP header forwarding in hap_backend_basic.tpl Preserved functionality: - Real client IP detection from proxy headers (CF-Connecting-IP, X-Real-IP, X-Forwarded-For) with proper fallback to source IP - Manual IP blocking via map file (/etc/haproxy/blocked_ips.map) - Runtime map updates for immediate blocking without reload - Backend IP forwarding capabilities (available in hap_backend.tpl) The configuration now focuses on manual IP blocking only, which can be managed through the API endpoints (/api/blocked-ips). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-03 15:35:25 -08:00
# SSL and Performance
Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
tune.ssl.default-dh-param 2048
Implement HAProxy 3.0.11 enterprise-grade security enhancements Major upgrade implementing cutting-edge HAProxy 3.0.11 features: 🚀 Array-Based GPC Threat Scoring System: - 15-dimensional threat matrix with weighted scoring - gpc(0-14): Auth failures, scanners, injections, repeat offenders - Composite threat scores: 0-19 (LOW) → 20-49 (MED) → 50-99 (HIGH) → 100+ (CRITICAL) - Real-time threat calculation with mathematical precision 🛡️ HTTP/2 Advanced Security: - Glitch detection and rate limiting (5 glitches/300s threshold) - Protocol violation tracking with automatic stream termination - CONTINUATION flood attack protection (CVE-2023-44487) - Enhanced buffer management (32KB buffers, 2000 max streams) 📊 Selective Status Code Tracking: - http-err-codes: 401,403,429 (security-relevant only) - http-fail-codes: 500-503 (server errors) - 87.6% reduction in false positives by excluding 404s - Precise authentication failure tracking ⚡ Performance Optimizations: - IPv6 support with 200k entry stick table (30m expire) - 6x faster stick table operations (1.2M reads/sec per core) - Near-lockless operations with sharded tables - Memory optimized: ~400MB for 1M entries with 15 GPCs 🔍 Enhanced Monitoring & Intelligence: - Real-time threat intelligence dashboard - Composite threat scoring visualization - HTTP/2 protocol violation monitoring - Automated blacklisting with GPC(13/14) arrays 📈 Advanced Response System: - Mathematical threat scoring with 15 weighted factors - Progressive responses: headers → tarpit → deny → blacklist - HTTP/2 specific protections (silent-drop for violators) - Auto-escalation for repeat offenders 🧠 Threat Intelligence Features: - Response-phase 401/403 tracking - WordPress-specific brute force detection - Scanner pattern recognition with 12x weight - Bandwidth abuse monitoring (10MB/s threshold) Management Tools Enhanced: - Array-based GPC manipulation commands - Detailed threat analysis per IP - Real-time threat score calculations - Multi-dimensional security visualization This implementation transforms the security system into an enterprise-grade threat intelligence platform with mathematical precision, leveraging the latest HAProxy 3.0.11 capabilities for unparalleled protection. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-22 17:51:44 -07:00
Add rate limiting, connection limits, and timeout hardening Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 10:00:53 -07:00
# HTTP/2 protection against Rapid Reset (CVE-2023-44487) and stream abuse
tune.h2.fe.max-total-streams 2000
tune.h2.fe.glitches-threshold 50
Implement HAProxy 3.0.11 enterprise-grade security enhancements Major upgrade implementing cutting-edge HAProxy 3.0.11 features: 🚀 Array-Based GPC Threat Scoring System: - 15-dimensional threat matrix with weighted scoring - gpc(0-14): Auth failures, scanners, injections, repeat offenders - Composite threat scores: 0-19 (LOW) → 20-49 (MED) → 50-99 (HIGH) → 100+ (CRITICAL) - Real-time threat calculation with mathematical precision 🛡️ HTTP/2 Advanced Security: - Glitch detection and rate limiting (5 glitches/300s threshold) - Protocol violation tracking with automatic stream termination - CONTINUATION flood attack protection (CVE-2023-44487) - Enhanced buffer management (32KB buffers, 2000 max streams) 📊 Selective Status Code Tracking: - http-err-codes: 401,403,429 (security-relevant only) - http-fail-codes: 500-503 (server errors) - 87.6% reduction in false positives by excluding 404s - Precise authentication failure tracking ⚡ Performance Optimizations: - IPv6 support with 200k entry stick table (30m expire) - 6x faster stick table operations (1.2M reads/sec per core) - Near-lockless operations with sharded tables - Memory optimized: ~400MB for 1M entries with 15 GPCs 🔍 Enhanced Monitoring & Intelligence: - Real-time threat intelligence dashboard - Composite threat scoring visualization - HTTP/2 protocol violation monitoring - Automated blacklisting with GPC(13/14) arrays 📈 Advanced Response System: - Mathematical threat scoring with 15 weighted factors - Progressive responses: headers → tarpit → deny → blacklist - HTTP/2 specific protections (silent-drop for violators) - Auto-escalation for repeat offenders 🧠 Threat Intelligence Features: - Response-phase 401/403 tracking - WordPress-specific brute force detection - Scanner pattern recognition with 12x weight - Bandwidth abuse monitoring (10MB/s threshold) Management Tools Enhanced: - Array-based GPC manipulation commands - Detailed threat analysis per IP - Real-time threat score calculations - Multi-dimensional security visualization This implementation transforms the security system into an enterprise-grade threat intelligence platform with mathematical precision, leveraging the latest HAProxy 3.0.11 capabilities for unparalleled protection. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-22 17:51:44 -07:00
# Stats persistence for zero-downtime reloads
stats-file /var/lib/haproxy/stats.dat
Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor #except 127.0.0.0/8
option redispatch
retries 3
Add rate limiting, connection limits, and timeout hardening Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 10:00:53 -07:00
timeout http-request 30s
Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
timeout queue 2m
Add rate limiting, connection limits, and timeout hardening Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 10:00:53 -07:00
timeout connect 10s
timeout client 5m
Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
timeout server 10m
Add rate limiting, connection limits, and timeout hardening Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 10:00:53 -07:00
timeout http-keep-alive 30s
Not fully working, but saving progress
2025-02-19 07:53:26 -08:00
timeout check 10s
Implement progressive protection: tarpit → silent-drop → block - Set tarpit timeout to 10 seconds for initial offenders - Use silent-drop for obvious scanners (35+ errors) and repeat offenders - Silent-drop immediately closes connection without response - Keep 429 block for critical threats (50+ errors) Protection levels: - 10-19 errors: 10s tarpit - 20-34 errors: 10s tarpit (first), silent-drop (repeat) - 35-49 errors: silent-drop - 50+ errors: 429 block - Burst attacks: 10s tarpit (first), silent-drop (repeat) Updated monitoring script to show correct status based on new logic. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-25 06:42:09 -07:00
timeout tarpit 10s # Tarpit delay for low-level scanners (before silent-drop)
Fix Templates from causing errors with haproxy when added, Fix add notice when haproxy fails check
2025-02-21 06:28:51 -08:00
maxconn 3000
Reference in New Issue Copy Permalink