Add rate limiting, connection limits, and timeout hardening

Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 10:00:53 -07:00
parent 94af4e47c1
commit a3b19ce352
4 changed files with 38 additions and 13 deletions
--- a/4
+++ b/4
@@ -18,6 +18,6 @@ RUN mkdir -p /var/spool/cron/crontabs && \
    chown root:crontab /var/spool/cron/crontabs/root
 EXPOSE 80 443 8000
 # Add health check
-HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:8000/health || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
+    CMD curl -sf --max-time 5 http://localhost:8000/health && curl -s --max-time 5 -o /dev/null http://localhost/ || exit 1
 CMD ["/haproxy/scripts/start-up.sh"]
--- a/templates/hap_header.tpl
+++ b/templates/hap_header.tpl
@@ -27,6 +27,10 @@ global
    # SSL and Performance
    tune.ssl.default-dh-param 2048

+    # HTTP/2 protection against Rapid Reset (CVE-2023-44487) and stream abuse
+    tune.h2.fe.max-total-streams 2000
+    tune.h2.fe.glitches-threshold 50
+
    # Stats persistence for zero-downtime reloads
    stats-file /var/lib/haproxy/stats.dat
 #---------------------------------------------------------------------
@@ -42,12 +46,12 @@ defaults
    option forwardfor       #except 127.0.0.0/8
    option                  redispatch
    retries                 3
-    timeout http-request    300s
+    timeout http-request    30s
    timeout queue           2m
-    timeout connect         120s
-    timeout client          10m
+    timeout connect         10s
+    timeout client          5m
    timeout server          10m
-    timeout http-keep-alive 120s
+    timeout http-keep-alive 30s
    timeout check           10s
    timeout tarpit          10s  # Tarpit delay for low-level scanners (before silent-drop)
    maxconn                 3000
--- a/templates/hap_listener.tpl
+++ b/templates/hap_listener.tpl
@@ -19,6 +19,26 @@ frontend web
    http-request set-var(txn.real_ip) req.hdr(X-Forwarded-For) if !has_cf_connecting_ip !has_x_real_ip has_x_forwarded_for
    http-request set-var(txn.real_ip) src if !has_cf_connecting_ip !has_x_real_ip !has_x_forwarded_for

+    # --- Connection & rate tracking ---
+    stick-table type ip size 200k expire 10m store conn_cur,conn_rate(10s),http_req_rate(10s),http_err_rate(30s)
+    http-request track-sc0 var(txn.real_ip)
+
+    # Whitelist: let health checks and local traffic bypass rate limits
+    acl is_local src 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+    acl is_health_check path_beg /.well-known/acme-challenge
+
+    # --- Rate limit rules (applied in order, first match wins) ---
+    # Hard block: >500 req/10s per IP (sustained flood)
+    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 500 } !is_local !is_health_check
+    # Tarpit: >200 req/10s per IP (aggressive scraping / light flood)
+    http-request tarpit deny_status 429 if { sc_http_req_rate(0) gt 200 } !is_local !is_health_check
+    # Connection rate limit: >60 new connections per 10s per IP
+    http-request deny deny_status 429 if { sc_conn_rate(0) gt 60 } !is_local !is_health_check
+    # Concurrent connection limit: >100 simultaneous connections per IP
+    http-request deny deny_status 429 if { sc_conn_cur(0) gt 100 } !is_local !is_health_check
+    # High error rate: >20 errors in 30s (scanner/fuzzer behavior)
+    http-request tarpit deny_status 403 if { sc_http_err_rate(0) gt 20 } !is_local !is_health_check
+
    # IP blocking using map file (manual blocks only)
    # Map file format: /etc/haproxy/blocked_ips.map contains "<ip_or_cidr> 1" per line
    # Runtime updates: echo "add map #0 IP_ADDRESS 1" | socat stdio /var/run/haproxy.sock
--- a/templates/hap_security_tables.tpl
+++ b/templates/hap_security_tables.tpl
@@ -1,7 +1,8 @@
-# HAProxy 3.0.11 eliminates need for separate security tables
-# All threat intelligence is now consolidated in the main frontend table
-# using array-based GPC system with 15 threat indicators
-
-# Placeholder for future security extensions
-# The main table in hap_listener.tpl now provides comprehensive
-# multi-dimensional threat tracking with weighted scoring
+# HAProxy Stats & Monitoring
+frontend stats
+    bind 127.0.0.1:8404
+    stats enable
+    stats uri /stats
+    stats refresh 30s
+    stats show-legends
+    stats show-node