Simplify tarpit implementation for HAProxy 3.0 compatibility

- Remove unsupported set-timeout tarpit directives - Use fixed 30s global tarpit timeout (reduced from 60s) - Keep escalation tracking via gpc1 for monitoring repeat offenders - HAProxy 3.0 doesn't support variable tarpit timeouts per request The escalation level (gpc1) is still tracked and visible in monitoring but all tarpits use the same 30s delay. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-25 06:33:21 -07:00
parent 2cd1db7461
commit 0a4995266c
2 changed files with 6 additions and 28 deletions
--- a/templates/hap_header.tpl
+++ b/templates/hap_header.tpl
@@ -45,6 +45,6 @@ defaults
    timeout server          10m
    timeout http-keep-alive 120s
    timeout check           10s
-    timeout tarpit          60s  # Maximum tarpit time for exploit scanners
+    timeout tarpit          30s  # Tarpit delay for detected scanners (fixed in HAProxy 3.0)
    maxconn                 3000
    
--- a/templates/hap_listener.tpl
+++ b/templates/hap_listener.tpl
@@ -58,34 +58,12 @@ frontend web
    # Only block after significant error accumulation
    http-request deny deny_status 429 if scanner_critical
    
-    # ESCALATING TARPIT RULES - Progressive delays based on offense level
-    # HAProxy 3.0 requires setting timeout before tarpit action
+    # TARPIT RULES - Apply tarpit to detected scanners
+    # HAProxy 3.0 uses global 'timeout tarpit' (60s) for all tarpit actions
+    # We track escalation level but all tarpits use same timeout
+    # The escalation level helps identify repeat offenders
    
-    # Level 0 (first offense): Short delays (2-5 seconds)
-    http-request set-timeout tarpit 2s if scanner_low escalation_level_0
-    http-request set-timeout tarpit 3s if scanner_medium escalation_level_0
-    http-request set-timeout tarpit 5s if scanner_high escalation_level_0
-    http-request set-timeout tarpit 5s if burst_scanner escalation_level_0
-    
-    # Level 1 (second offense): Medium delays (8-15 seconds)
-    http-request set-timeout tarpit 8s if scanner_low escalation_level_1
-    http-request set-timeout tarpit 12s if scanner_medium escalation_level_1
-    http-request set-timeout tarpit 15s if scanner_high escalation_level_1
-    http-request set-timeout tarpit 10s if burst_scanner escalation_level_1
-    
-    # Level 2 (third offense): Long delays (20-45 seconds)
-    http-request set-timeout tarpit 20s if scanner_low escalation_level_2
-    http-request set-timeout tarpit 30s if scanner_medium escalation_level_2
-    http-request set-timeout tarpit 45s if scanner_high escalation_level_2
-    http-request set-timeout tarpit 25s if burst_scanner escalation_level_2
-    
-    # Level 3+ (repeat offender): Maximum delays (60 seconds)
-    http-request set-timeout tarpit 60s if scanner_low escalation_level_3
-    http-request set-timeout tarpit 60s if scanner_medium escalation_level_3
-    http-request set-timeout tarpit 60s if scanner_high escalation_level_3
-    http-request set-timeout tarpit 60s if burst_scanner escalation_level_3
-    
-    # Apply the tarpit action after setting the appropriate timeout
+    # Apply tarpit to any detected scanner
    http-request tarpit deny_status 429 if scanner_low or scanner_medium or scanner_high or burst_scanner
    
    # Increment escalation level when we apply tarpit