cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove 40X rate limiting from HAProxy to prevent false positives
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m54s
Details

Browse Source 
- Removed all 40X error tracking and rate limiting from HAProxy templates
- Preserved critical IP forwarding headers (X-CLIENT-IP, X-Real-IP, X-Forwarded-For)
- Kept stick table and IP blocking infrastructure for potential future use
- Rate limiting can now be implemented at container level with proper context

This change prevents legitimate developers from being rate-limited during
normal development activities while maintaining proper client IP forwarding
for container-level security and logging.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-08-30 08:54:55 -07:00
parent 8c7031fd6d
commit 402c48b4a0
4 changed files with 10 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
templates/hap_backend_basic.tpl
View File

@@ -2,35 +2,10 @@
backend {{ name }}-backend
option forwardfor
# Pass the real client IP to backend (from proxy headers or direct connection)
# This is crucial for container-level logging and security tools
http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
http-request set-header X-Real-IP %[var(txn.real_ip)]
# Define error status codes
acl is_404_error status 404
acl is_403_error status 403
acl is_401_error status 401
acl is_400_error status 400
# Define suspicious scan patterns - only these count as scan attempts
acl scan_scripts path_reg -i \.(php|asp|aspx|jsp|cgi|pl|py|rb|sh|bash)$
acl scan_admin path_reg -i /(wp-admin|wp-login|phpmyadmin|adminer|manager|admin-console)
acl scan_configs path_reg -i \.(env|git|svn|htaccess|htpasswd|ini|conf|config|yml|yaml|toml)
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
# Define legitimate static assets that should NOT count
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
# Track scan attempts in the frontend stick table
# Only count suspicious 404s and auth failures
http-response sc-inc-gpc0(0) if scan_scripts is_404_error !legitimate_assets !legitimate_paths
http-response sc-inc-gpc0(0) if scan_admin is_404_error !legitimate_assets !legitimate_paths
http-response sc-inc-gpc0(0) if scan_configs is_404_error !legitimate_assets !legitimate_paths
http-response sc-inc-gpc0(0) if scan_backups is_404_error !legitimate_assets !legitimate_paths
http-response sc-inc-gpc0(0) if scan_vulns is_404_error !legitimate_assets !legitimate_paths
http-response sc-inc-gpc0(0) if is_403_error !legitimate_assets !legitimate_paths
http-response sc-inc-gpc0(0) if is_401_error
http-request set-header X-Forwarded-For %[var(txn.real_ip)]
{% for server in servers %}
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}