Add rate limiting, connection limits, and timeout hardening
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m33s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m33s
Activate HAProxy's built-in attack prevention to stop floods that cause the container to become unresponsive: - Stick table tracks per-IP: conn_cur, conn_rate, http_req_rate, http_err_rate - Rate limit rules: deny at 50 req/s, tarpit at 20 req/s, connection rate limit at 60/10s, concurrent connection cap at 100, error rate tarpit at 20 errors/30s - Harden timeouts: http-request 300s→30s, connect 120s→10s, client 10m→5m, keep-alive 120s→30s - HTTP/2 Rapid Reset protection (CVE-2023-44487): stream and glitch limits - Stats frontend on localhost:8404 for monitoring - HEALTHCHECK now validates both port 80 (HAProxy) and 8000 (API) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,8 @@
|
||||
# HAProxy 3.0.11 eliminates need for separate security tables
|
||||
# All threat intelligence is now consolidated in the main frontend table
|
||||
# using array-based GPC system with 15 threat indicators
|
||||
|
||||
# Placeholder for future security extensions
|
||||
# The main table in hap_listener.tpl now provides comprehensive
|
||||
# multi-dimensional threat tracking with weighted scoring
|
||||
# HAProxy Stats & Monitoring
|
||||
frontend stats
|
||||
bind 127.0.0.1:8404
|
||||
stats enable
|
||||
stats uri /stats
|
||||
stats refresh 30s
|
||||
stats show-legends
|
||||
stats show-node
|
||||
Reference in New Issue
Block a user