cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update all backend templates with real IP forwarding and scan detection
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Details

Browse Source 
Extends the tarpit protection and real IP handling to all backend templates,
ensuring consistent behavior across different backend configurations.

Changes to all backend templates:
- Pass real client IP via X-CLIENT-IP and X-Real-IP headers
- Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct)
- Add scan attempt detection (400/401/403/404 errors)
- Track suspicious paths (admin panels, config files, etc.)
- Increment error counters for tarpit decisions

Updated templates:
- hap_backend.tpl: Main backend template
- hap_backend_http_check.tpl: Backend with HTTP health checks
- hap_backend_basic.tpl: Minimal backend configuration

Benefits:
- Backend applications receive the real client IP, not proxy IPs
- All backend types now contribute to scan detection
- Consistent security across different backend configurations
- Works seamlessly with Cloudflare and other CDNs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-08-24 06:59:26 -07:00
parent 2b31fb9f4f
commit 948fdecf52
3 changed files with 46 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
templates/hap_backend_http_check.tpl
View File

@@ -2,8 +2,28 @@
backend {{ name }}-backend
option forwardfor
option httpchk
http-request add-header X-CLIENT-IP %[src]
# Pass the real client IP to backend (from proxy headers or direct connection)
http-request add-header X-CLIENT-IP %[var(txn.real_ip)]
http-request set-header X-Real-IP %[var(txn.real_ip)]
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
# Define scanning attempt patterns
acl is_404_error status 404
acl is_403_error status 403
acl is_401_error status 401
acl is_400_error status 400
acl is_scan_attempt status 400 401 403 404
# Additional suspicious patterns
acl suspicious_path path_reg -i \.(php|asp|aspx|jsp|cgi)$
acl suspicious_path path_reg -i /(wp-admin|phpmyadmin|admin|login|xmlrpc)
acl suspicious_path path_reg -i \.(env|git|svn|backup|bak|old)
# Track scan attempts in the frontend stick table
# This increments the counter AFTER the backend responds with an error
# The frontend will check this counter on SUBSEQUENT requests
http-response sc-inc-gpc0(0) if is_scan_attempt
{% for server in servers %}
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
{% endfor %}