From 3da5df67d0224beee52aff9e8aa211c0c21b8716 Mon Sep 17 00:00:00 2001 From: Josh Knapp Date: Wed, 1 Apr 2026 08:16:44 -0700 Subject: [PATCH] Update CLAUDE.md with HAProxy hardening and AI log monitor docs Documents HAProxy health checks, watchdog, rate limiting, trusted IP whitelist, timeout hardening, HTTP/2 protection, and the AI-powered log monitor system with two-tier analysis, auto-remediation, and notification support. Co-Authored-By: Claude Opus 4.6 (1M context) --- CLAUDE.md | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 27a9bd5..1b6e61d 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -39,10 +39,11 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co - `backend_servers` - Individual servers within backend groups 3. **Template System** - Jinja2 templates for HAProxy configuration generation: - - `hap_header.tpl` - Global HAProxy settings and defaults + - `hap_header.tpl` - Global HAProxy settings, defaults, and HTTP/2 tuning - `hap_backend.tpl` - Backend server definitions - - `hap_listener.tpl` - Frontend listener configurations + - `hap_listener.tpl` - Frontend listener configurations with rate limiting - `hap_letsencrypt.tpl` - SSL certificate configurations + - `hap_security_tables.tpl` - Stats frontend and security stick tables - Template override support for custom backend configurations 4. **Certificate Management** - Automated SSL certificate handling: @@ -73,10 +74,51 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co - Certificate private keys combined with certificates in HAProxy-compatible format - Default backend page for unmatched domains instead of exposing HAProxy errors +### Rate Limiting & Connection Limits (hap_listener.tpl) + +- **Stick table**: `type ip size 200k expire 10m` tracking `conn_cur`, `conn_rate(10s)`, `http_req_rate(10s)`, `http_err_rate(30s)` +- Tracks real client IP via `var(txn.real_ip)` to work correctly behind Cloudflare/proxies +- **Rate limit thresholds**: + - Tarpit at 3000 req/10s (300 req/s) + - Hard block (deny) at 5000 req/10s (500 req/s) + - Connection rate limit: 500/10s + - Concurrent connection limit: 500 + - Error rate limit: 100/30s +- **Whitelist bypasses** (exempt from rate limits): + - `is_local` — RFC1918 private address ranges + - `is_trusted_ip` — source IPs listed in `trusted_ips.list` + - `is_whitelisted` — real IPs (from proxy headers) matched in `trusted_ips.map` + +### Trusted IP Whitelist Files + +- `trusted_ips.list` — Source IP whitelist for rate limit bypass (one CIDR/IP per line) +- `trusted_ips.map` — Real IP whitelist for proxy-header matching (format: ` 1`) +- Both files are baked into the Docker image via `COPY` in the Dockerfile +- Currently contains phone system IP `172.116.197.166` + +### Timeout Hardening (hap_header.tpl) + +- `timeout http-request`: 300s -> 30s (slowloris protection) +- `timeout connect`: 120s -> 10s +- `timeout client`: 10m -> 5m +- `timeout http-keep-alive`: 120s -> 30s + +### HTTP/2 Protection (hap_header.tpl) + +- `tune.h2.fe.max-total-streams 2000` — limits total streams per HTTP/2 connection +- `tune.h2.fe.glitches-threshold 50` — CVE-2023-44487 Rapid Reset protection + +### Stats Frontend (hap_security_tables.tpl) + +- HAProxy stats page bound to `127.0.0.1:8404` (localhost only, accessible inside container) +- Template: `templates/hap_security_tables.tpl` + ### Deployment Context - Designed to run as Docker container with persistent volumes for certificates and configurations - Exposes ports 80 (HTTP), 443 (HTTPS), and 8000 (management API/UI) +- Stats page on port 8404 (localhost only inside container) - Management interface on port 8000 should be firewall-protected in production +- Dockerfile HEALTHCHECK verifies both port 8000 (Flask API) and port 80 (HAProxy), with `start-period=60s` and `timeout=10s` - Supports deployment on servers with git directory at `/root/whp` and web file sync via rsync to `/docker/whp/web/` - HAProxy is version 3.0.11 \ No newline at end of file