From 0a4995266ca78126795b2ae8ff509ead7e9a5e48 Mon Sep 17 00:00:00 2001 From: jknapp Date: Mon, 25 Aug 2025 06:33:21 -0700 Subject: [PATCH] Simplify tarpit implementation for HAProxy 3.0 compatibility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove unsupported set-timeout tarpit directives - Use fixed 30s global tarpit timeout (reduced from 60s) - Keep escalation tracking via gpc1 for monitoring repeat offenders - HAProxy 3.0 doesn't support variable tarpit timeouts per request The escalation level (gpc1) is still tracked and visible in monitoring but all tarpits use the same 30s delay. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- templates/hap_header.tpl | 2 +- templates/hap_listener.tpl | 32 +++++--------------------------- 2 files changed, 6 insertions(+), 28 deletions(-) diff --git a/templates/hap_header.tpl b/templates/hap_header.tpl index bbc1e0a..6382447 100644 --- a/templates/hap_header.tpl +++ b/templates/hap_header.tpl @@ -45,6 +45,6 @@ defaults timeout server 10m timeout http-keep-alive 120s timeout check 10s - timeout tarpit 60s # Maximum tarpit time for exploit scanners + timeout tarpit 30s # Tarpit delay for detected scanners (fixed in HAProxy 3.0) maxconn 3000 \ No newline at end of file diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl index 0d0ad8b..7634cc6 100644 --- a/templates/hap_listener.tpl +++ b/templates/hap_listener.tpl @@ -58,34 +58,12 @@ frontend web # Only block after significant error accumulation http-request deny deny_status 429 if scanner_critical - # ESCALATING TARPIT RULES - Progressive delays based on offense level - # HAProxy 3.0 requires setting timeout before tarpit action + # TARPIT RULES - Apply tarpit to detected scanners + # HAProxy 3.0 uses global 'timeout tarpit' (60s) for all tarpit actions + # We track escalation level but all tarpits use same timeout + # The escalation level helps identify repeat offenders - # Level 0 (first offense): Short delays (2-5 seconds) - http-request set-timeout tarpit 2s if scanner_low escalation_level_0 - http-request set-timeout tarpit 3s if scanner_medium escalation_level_0 - http-request set-timeout tarpit 5s if scanner_high escalation_level_0 - http-request set-timeout tarpit 5s if burst_scanner escalation_level_0 - - # Level 1 (second offense): Medium delays (8-15 seconds) - http-request set-timeout tarpit 8s if scanner_low escalation_level_1 - http-request set-timeout tarpit 12s if scanner_medium escalation_level_1 - http-request set-timeout tarpit 15s if scanner_high escalation_level_1 - http-request set-timeout tarpit 10s if burst_scanner escalation_level_1 - - # Level 2 (third offense): Long delays (20-45 seconds) - http-request set-timeout tarpit 20s if scanner_low escalation_level_2 - http-request set-timeout tarpit 30s if scanner_medium escalation_level_2 - http-request set-timeout tarpit 45s if scanner_high escalation_level_2 - http-request set-timeout tarpit 25s if burst_scanner escalation_level_2 - - # Level 3+ (repeat offender): Maximum delays (60 seconds) - http-request set-timeout tarpit 60s if scanner_low escalation_level_3 - http-request set-timeout tarpit 60s if scanner_medium escalation_level_3 - http-request set-timeout tarpit 60s if scanner_high escalation_level_3 - http-request set-timeout tarpit 60s if burst_scanner escalation_level_3 - - # Apply the tarpit action after setting the appropriate timeout + # Apply tarpit to any detected scanner http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner # Increment escalation level when we apply tarpit