Remove all ACL-to-ACL references for HAProxy 3.0.11 compatibility

Final fix for HAProxy 3.0.11 syntax requirements:

ACL Reference Resolution:
- Removed all compound ACLs that referenced other ACLs
- Updated all http-request rules to use base ACLs directly
- HAProxy 3.0 does not allow ACL-to-ACL references

Direct Base ACL Usage:
- bot_scanner: Scanner user agent detection
- scan_admin: Admin path scanning
- scan_shells: Shell/exploit attempts
- sql_injection: SQL injection patterns
- directory_traversal: Path traversal attempts
- wp_403_abuse: WordPress 403 failures
- rate_abuse: Rate limit violations
- suspicious_method: Dangerous HTTP methods
- missing_accept_header: Missing browser headers
- blacklisted: Blacklisted IPs
- auto_blacklist_candidate: Auto-ban candidates

Graduated Response System (Direct ACL Based):
- Low threat (info): rate_abuse, suspicious_method, missing headers
- Medium threat (warning + tarpit): sql_injection, directory_traversal, wp_403_abuse
- High threat (alert + deny): bot_scanner, scan_admin, scan_shells
- Critical threat (alert + deny): blacklisted, auto_blacklist_candidate

Monitoring Updates:
- Updated log parsing for base ACL names
- Enhanced threat classification in monitoring scripts

All syntax is now pure HAProxy 3.0.11 compatible while maintaining
comprehensive security protection with graduated responses.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

templates/hap_listener.tpl

@@ -84,59 +84,42 @@ frontend web
     # We focus on clear scanner indicators rather than all errors for WordPress paths
     # since 404s on wp-admin are normal (CSS, JS files, etc.)
 
-    # Combine conditions to identify actual attacks vs legitimate use
-    # WordPress-specific attack detection (combining path + threat indicators)
-    acl wp_scanner_detected is_wordpress_path bot_scanner
-    acl wp_brute_force_detected wp_403_abuse
-    acl wp_suspicious_detected is_wordpress_path bot_empty
-
     # WordPress brute force detection now based on actual 403 failures (5+ in 10s)
     # This catches real authentication failures, not just POST requests
 
-    # Simplified threat detection for HAProxy 3.0 compatibility
-    # Direct threat level classification based on individual indicators
-    acl high_threat_detected bot_scanner
-    acl high_threat_scan scan_admin
-    acl high_threat_shells scan_shells
-    acl medium_threat_injection sql_injection
-    acl medium_threat_traversal directory_traversal
-    acl medium_threat_wp_attack wp_brute_force_detected
-    acl low_threat_rate rate_abuse
-    acl low_threat_method suspicious_method
-    acl low_threat_headers missing_accept_header
-    acl critical_threat_blacklist blacklisted
-    acl critical_threat_autoban auto_blacklist_candidate
+    # All threat detection will be done directly in http-request rules
+    # using the base ACLs defined above to avoid ACL-reference issues
 
-    # 5. Dynamic blacklisting based on threat level
+    # 5. Dynamic blacklisting based on threat level (using base ACLs directly)
     http-request sc-inc-gpc0(1) if auto_blacklist_candidate
-    http-request sc-inc-gpc1(1) if high_threat_detected or high_threat_scan or high_threat_shells
-    http-request sc-inc-gpc1(1) if critical_threat_blacklist or critical_threat_autoban
+    http-request sc-inc-gpc1(1) if bot_scanner or scan_admin or scan_shells
+    http-request sc-inc-gpc1(1) if blacklisted
 
     # Mark current session as bad based on threat level
-    http-request sc-set-gpc0(0) 1 if medium_threat_injection or medium_threat_traversal or medium_threat_wp_attack
-    http-request sc-set-gpc0(0) 1 if high_threat_detected or high_threat_scan or high_threat_shells
-    http-request sc-set-gpc0(0) 1 if critical_threat_blacklist or critical_threat_autoban
+    http-request sc-set-gpc0(0) 1 if sql_injection or directory_traversal or wp_403_abuse
+    http-request sc-set-gpc0(0) 1 if bot_scanner or scan_admin or scan_shells
+    http-request sc-set-gpc0(0) 1 if blacklisted or auto_blacklist_candidate
 
     # 6. Graduated response system based on threat level
     # Low threat: Warning header only
-    http-request set-header X-Security-Warning "rate-limit-approaching" if low_threat_rate !legitimate_bot !wordpress_app !browser_ua
-    http-request set-header X-Security-Warning "suspicious-method" if low_threat_method !legitimate_bot !wordpress_app !browser_ua
-    http-request set-header X-Security-Warning "missing-headers" if low_threat_headers !legitimate_bot !wordpress_app !browser_ua
+    http-request set-header X-Security-Warning "rate-limit-approaching" if rate_abuse !legitimate_bot !wordpress_app !browser_ua
+    http-request set-header X-Security-Warning "suspicious-method" if suspicious_method !legitimate_bot !wordpress_app !browser_ua
+    http-request set-header X-Security-Warning "missing-headers" if missing_accept_header !legitimate_bot !wordpress_app !browser_ua
 
     # Medium threat: Tarpit delay
-    http-request tarpit if medium_threat_injection !legitimate_bot !wordpress_app !browser_ua
-    http-request tarpit if medium_threat_traversal !legitimate_bot !wordpress_app !browser_ua
-    http-request tarpit if medium_threat_wp_attack !legitimate_bot !wordpress_app !browser_ua
+    http-request tarpit if sql_injection !legitimate_bot !wordpress_app !browser_ua
+    http-request tarpit if directory_traversal !legitimate_bot !wordpress_app !browser_ua
+    http-request tarpit if wp_403_abuse !legitimate_bot !wordpress_app !browser_ua
 
     # High threat: Immediate deny
-    http-request deny deny_status 403 if high_threat_detected !legitimate_bot !wordpress_app !browser_ua
-    http-request deny deny_status 403 if high_threat_scan !legitimate_bot !wordpress_app !browser_ua
-    http-request deny deny_status 403 if high_threat_shells !legitimate_bot !wordpress_app !browser_ua
-    http-request deny deny_status 403 if wp_scanner_detected !legitimate_bot !wordpress_app !browser_ua
+    http-request deny deny_status 403 if bot_scanner !legitimate_bot !wordpress_app !browser_ua
+    http-request deny deny_status 403 if scan_admin !legitimate_bot !wordpress_app !browser_ua
+    http-request deny deny_status 403 if scan_shells !legitimate_bot !wordpress_app !browser_ua
+    http-request deny deny_status 403 if is_wordpress_path bot_scanner !legitimate_bot !wordpress_app !browser_ua
 
     # Critical threat: Blacklist and deny
-    http-request deny deny_status 403 if critical_threat_blacklist
-    http-request deny deny_status 403 if critical_threat_autoban
+    http-request deny deny_status 403 if blacklisted
+    http-request deny deny_status 403 if auto_blacklist_candidate
 
     # Additional immediate threat rules
     http-request deny if repeat_offender
@@ -164,11 +147,11 @@ frontend web
     http-request capture var(txn.real_ip) len 40
     http-request capture req.hdr(user-agent) len 150
 
-    # Set log level based on threat level
-    http-request set-log-level info if low_threat_rate or low_threat_method or low_threat_headers
-    http-request set-log-level warning if medium_threat_injection or medium_threat_traversal or medium_threat_wp_attack
-    http-request set-log-level alert if high_threat_detected or high_threat_scan or high_threat_shells
-    http-request set-log-level alert if critical_threat_blacklist or critical_threat_autoban
+    # Set log level based on threat level (using base ACLs directly)
+    http-request set-log-level info if rate_abuse or suspicious_method or missing_accept_header
+    http-request set-log-level warning if sql_injection or directory_traversal or wp_403_abuse
+    http-request set-log-level alert if bot_scanner or scan_admin or scan_shells
+    http-request set-log-level alert if blacklisted or auto_blacklist_candidate
 
     # Track WordPress paths for 403 response monitoring
     http-request set-var(txn.is_wp_path) int(1) if is_wordpress_path