cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove ACL-based security protections to eliminate false positives
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 59s
Details

Browse Source 
This commit simplifies the HAProxy configuration by removing automatic
threat detection and blocking rules while preserving essential functionality.

Changes:
- Removed all automatic ACL-based security rules (SQL injection detection,
  scanner detection, rate limiting, brute force protection, etc.)
- Removed complex stick-table tracking with 15 GPC counters
- Removed graduated threat response system (tarpit, deny based on threat scores)
- Removed HTTP/2 security tuning parameters specific to threat detection
- Commented out IP header forwarding in hap_backend_basic.tpl

Preserved functionality:
- Real client IP detection from proxy headers (CF-Connecting-IP, X-Real-IP,
  X-Forwarded-For) with proper fallback to source IP
- Manual IP blocking via map file (/etc/haproxy/blocked_ips.map)
- Runtime map updates for immediate blocking without reload
- Backend IP forwarding capabilities (available in hap_backend.tpl)

The configuration now focuses on manual IP blocking only, which can be
managed through the API endpoints (/api/blocked-ips).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-11-03 15:35:25 -08:00
parent 76b2e85ca8
commit 7eeba0d718
3 changed files with 6 additions and 235 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
templates/hap_header.tpl
View File

@@ -24,19 +24,7 @@ global
group haproxy
daemon
# HAProxy 3.0.11 Enhanced Security Configuration
# Selective status code tracking for reduced false positives
http-err-codes 401,403,429 # Only track security-relevant errors
http-fail-codes 500-503 # Server errors for monitoring
# HTTP/2 Security and Performance Tuning
tune.h2.fe.max-total-streams 2000 # Connection cycling for security
tune.h2.fe.glitches-threshold 50 # Protocol violation detection
tune.h2.fe.max-concurrent-streams 100 # Balanced security/performance
tune.bufsize 32768 # Enhanced HTTP/2 protection
tune.ring.queues 16 # Performance optimization
# SSL and General Performance
# SSL and Performance
tune.ssl.default-dh-param 2048
# Stats persistence for zero-downtime reloads