Fix HAProxy ACL syntax errors in backend templates
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m13s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m13s
- Remove invalid ACL combination syntax (can't use 'or' to combine ACLs) - Use multiple http-response lines instead (each line is OR'd together) - Each line checks specific scan pattern with 404 AND not legitimate assets - Simplify logic to be HAProxy 3.0 compatible This fixes the config parsing errors while maintaining the same detection logic - only counting suspicious script/config 404s, not missing assets. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -20,25 +20,21 @@ backend {{ name }}-backend
|
|||||||
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
|
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
|
||||||
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
|
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
|
||||||
|
|
||||||
# Combine all scan patterns
|
|
||||||
acl is_suspicious_request scan_scripts or scan_admin or scan_configs or scan_backups or scan_vulns
|
|
||||||
|
|
||||||
# Define legitimate static assets that should NOT count as scan attempts
|
# Define legitimate static assets that should NOT count as scan attempts
|
||||||
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
|
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
|
||||||
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
|
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
|
||||||
|
|
||||||
# Only count as scan attempt if it's:
|
|
||||||
# - A suspicious request with 404 status, OR
|
|
||||||
# - Any 401/403 error (auth failures are always suspicious)
|
|
||||||
# Exclude legitimate asset 404s (like missing fonts, images, etc.)
|
|
||||||
acl is_scan_attempt is_suspicious_request is_404_error !legitimate_assets !legitimate_paths
|
|
||||||
acl is_scan_attempt is_403_error !legitimate_assets !legitimate_paths
|
|
||||||
acl is_scan_attempt is_401_error
|
|
||||||
|
|
||||||
# Track scan attempts in the frontend stick table
|
# Track scan attempts in the frontend stick table
|
||||||
# This increments the counter AFTER the backend responds with an error
|
# Only count suspicious 404s and auth failures
|
||||||
# The frontend will check this counter on SUBSEQUENT requests
|
# Multiple ACL conditions on same line = AND, multiple lines = OR
|
||||||
http-response sc-inc-gpc0(0) if is_scan_attempt
|
http-response sc-inc-gpc0(0) if scan_scripts is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_admin is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_configs is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_backups is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_vulns is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if is_403_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if is_401_error
|
||||||
|
|
||||||
|
|
||||||
{% for server in servers %}
|
{% for server in servers %}
|
||||||
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||||
|
|||||||
@@ -18,20 +18,19 @@ backend {{ name }}-backend
|
|||||||
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
|
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
|
||||||
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
|
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
|
||||||
|
|
||||||
# Combine all scan patterns
|
|
||||||
acl is_suspicious_request scan_scripts or scan_admin or scan_configs or scan_backups or scan_vulns
|
|
||||||
|
|
||||||
# Define legitimate static assets that should NOT count
|
# Define legitimate static assets that should NOT count
|
||||||
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
|
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
|
||||||
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
|
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
|
||||||
|
|
||||||
# Only count suspicious 404s and auth failures
|
|
||||||
acl is_scan_attempt is_suspicious_request is_404_error !legitimate_assets !legitimate_paths
|
|
||||||
acl is_scan_attempt is_403_error !legitimate_assets !legitimate_paths
|
|
||||||
acl is_scan_attempt is_401_error
|
|
||||||
|
|
||||||
# Track scan attempts in the frontend stick table
|
# Track scan attempts in the frontend stick table
|
||||||
http-response sc-inc-gpc0(0) if is_scan_attempt
|
# Only count suspicious 404s and auth failures
|
||||||
|
http-response sc-inc-gpc0(0) if scan_scripts is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_admin is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_configs is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_backups is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_vulns is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if is_403_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if is_401_error
|
||||||
|
|
||||||
{% for server in servers %}
|
{% for server in servers %}
|
||||||
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||||
|
|||||||
@@ -20,20 +20,19 @@ backend {{ name }}-backend
|
|||||||
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
|
acl scan_backups path_reg -i \.(backup|bak|old|orig|save|swp|sql|db|dump|tar|zip|rar|7z)
|
||||||
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
|
acl scan_vulns path_reg -i /(cgi-bin|fckeditor|tiny_mce|ckfinder|userfiles|filemanager)
|
||||||
|
|
||||||
# Combine all scan patterns
|
|
||||||
acl is_suspicious_request scan_scripts or scan_admin or scan_configs or scan_backups or scan_vulns
|
|
||||||
|
|
||||||
# Define legitimate static assets that should NOT count
|
# Define legitimate static assets that should NOT count
|
||||||
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
|
acl legitimate_assets path_reg -i \.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|eot|otf|map|webp|mp4|webm|pdf)$
|
||||||
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
|
acl legitimate_paths path_beg /static/ /assets/ /media/ /images/ /fonts/ /css/ /js/
|
||||||
|
|
||||||
# Only count suspicious 404s and auth failures
|
|
||||||
acl is_scan_attempt is_suspicious_request is_404_error !legitimate_assets !legitimate_paths
|
|
||||||
acl is_scan_attempt is_403_error !legitimate_assets !legitimate_paths
|
|
||||||
acl is_scan_attempt is_401_error
|
|
||||||
|
|
||||||
# Track scan attempts in the frontend stick table
|
# Track scan attempts in the frontend stick table
|
||||||
http-response sc-inc-gpc0(0) if is_scan_attempt
|
# Only count suspicious 404s and auth failures
|
||||||
|
http-response sc-inc-gpc0(0) if scan_scripts is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_admin is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_configs is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_backups is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if scan_vulns is_404_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if is_403_error !legitimate_assets !legitimate_paths
|
||||||
|
http-response sc-inc-gpc0(0) if is_401_error
|
||||||
|
|
||||||
{% for server in servers %}
|
{% for server in servers %}
|
||||||
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
|
||||||
|
|||||||
Reference in New Issue
Block a user