Update all backend templates with real IP forwarding and scan detection
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Extends the tarpit protection and real IP handling to all backend templates, ensuring consistent behavior across different backend configurations. Changes to all backend templates: - Pass real client IP via X-CLIENT-IP and X-Real-IP headers - Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct) - Add scan attempt detection (400/401/403/404 errors) - Track suspicious paths (admin panels, config files, etc.) - Increment error counters for tarpit decisions Updated templates: - hap_backend.tpl: Main backend template - hap_backend_http_check.tpl: Backend with HTTP health checks - hap_backend_basic.tpl: Minimal backend configuration Benefits: - Backend applications receive the real client IP, not proxy IPs - All backend types now contribute to scan detection - Consistent security across different backend configurations - Works seamlessly with Cloudflare and other CDNs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,9 @@
|
||||
|
||||
backend {{ name }}-backend
|
||||
option forwardfor
|
||||
http-request add-header X-CLIENT-IP %[src]
|
||||
# Pass the real client IP to backend (from proxy headers or direct connection)
|
||||
http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
|
||||
http-request set-header X-Real-IP %[var(txn.real_ip)]
|
||||
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
|
||||
|
||||
# Define scanning attempt patterns
|
||||
|
||||
Reference in New Issue
Block a user