Simplify tarpit implementation for HAProxy 3.0 compatibility
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
- Remove unsupported set-timeout tarpit directives - Use fixed 30s global tarpit timeout (reduced from 60s) - Keep escalation tracking via gpc1 for monitoring repeat offenders - HAProxy 3.0 doesn't support variable tarpit timeouts per request The escalation level (gpc1) is still tracked and visible in monitoring but all tarpits use the same 30s delay. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -45,6 +45,6 @@ defaults
|
|||||||
timeout server 10m
|
timeout server 10m
|
||||||
timeout http-keep-alive 120s
|
timeout http-keep-alive 120s
|
||||||
timeout check 10s
|
timeout check 10s
|
||||||
timeout tarpit 60s # Maximum tarpit time for exploit scanners
|
timeout tarpit 30s # Tarpit delay for detected scanners (fixed in HAProxy 3.0)
|
||||||
maxconn 3000
|
maxconn 3000
|
||||||
|
|
||||||
@@ -58,34 +58,12 @@ frontend web
|
|||||||
# Only block after significant error accumulation
|
# Only block after significant error accumulation
|
||||||
http-request deny deny_status 429 if scanner_critical
|
http-request deny deny_status 429 if scanner_critical
|
||||||
|
|
||||||
# ESCALATING TARPIT RULES - Progressive delays based on offense level
|
# TARPIT RULES - Apply tarpit to detected scanners
|
||||||
# HAProxy 3.0 requires setting timeout before tarpit action
|
# HAProxy 3.0 uses global 'timeout tarpit' (60s) for all tarpit actions
|
||||||
|
# We track escalation level but all tarpits use same timeout
|
||||||
|
# The escalation level helps identify repeat offenders
|
||||||
|
|
||||||
# Level 0 (first offense): Short delays (2-5 seconds)
|
# Apply tarpit to any detected scanner
|
||||||
http-request set-timeout tarpit 2s if scanner_low escalation_level_0
|
|
||||||
http-request set-timeout tarpit 3s if scanner_medium escalation_level_0
|
|
||||||
http-request set-timeout tarpit 5s if scanner_high escalation_level_0
|
|
||||||
http-request set-timeout tarpit 5s if burst_scanner escalation_level_0
|
|
||||||
|
|
||||||
# Level 1 (second offense): Medium delays (8-15 seconds)
|
|
||||||
http-request set-timeout tarpit 8s if scanner_low escalation_level_1
|
|
||||||
http-request set-timeout tarpit 12s if scanner_medium escalation_level_1
|
|
||||||
http-request set-timeout tarpit 15s if scanner_high escalation_level_1
|
|
||||||
http-request set-timeout tarpit 10s if burst_scanner escalation_level_1
|
|
||||||
|
|
||||||
# Level 2 (third offense): Long delays (20-45 seconds)
|
|
||||||
http-request set-timeout tarpit 20s if scanner_low escalation_level_2
|
|
||||||
http-request set-timeout tarpit 30s if scanner_medium escalation_level_2
|
|
||||||
http-request set-timeout tarpit 45s if scanner_high escalation_level_2
|
|
||||||
http-request set-timeout tarpit 25s if burst_scanner escalation_level_2
|
|
||||||
|
|
||||||
# Level 3+ (repeat offender): Maximum delays (60 seconds)
|
|
||||||
http-request set-timeout tarpit 60s if scanner_low escalation_level_3
|
|
||||||
http-request set-timeout tarpit 60s if scanner_medium escalation_level_3
|
|
||||||
http-request set-timeout tarpit 60s if scanner_high escalation_level_3
|
|
||||||
http-request set-timeout tarpit 60s if burst_scanner escalation_level_3
|
|
||||||
|
|
||||||
# Apply the tarpit action after setting the appropriate timeout
|
|
||||||
http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner
|
http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner
|
||||||
|
|
||||||
# Increment escalation level when we apply tarpit
|
# Increment escalation level when we apply tarpit
|
||||||
|
|||||||
Reference in New Issue
Block a user