From b55a2fa691f2c79c6bb37d3af37a309236a1a65d Mon Sep 17 00:00:00 2001
From: jknapp <jknapp85@gmail.com>
Date: Mon, 22 Sep 2025 18:39:37 -0700
Subject: [PATCH] Fix ACL compound reference error for xmlrpc abuse detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace compound ACL xmlrpc_abuse with separate conditions
- Use xmlrpc_rate_abuse for rate detection and combine with is_xmlrpc in http-request rule
- Prevents ACL-to-ACL reference which is not supported in HAProxy 3.0.11

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 templates/hap_listener.tpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl
index 4dcd9ec..275d7d3 100644
--- a/templates/hap_listener.tpl
+++ b/templates/hap_listener.tpl
@@ -201,12 +201,12 @@ frontend web
     # Other auth: 5 requests per 10s (stricter for non-WordPress)
     # XMLRPC: 20 requests per 10s (can be legitimately high for some plugins)
     acl auth_abuse sc0_http_req_rate gt 5
-    acl xmlrpc_abuse is_xmlrpc sc0_http_req_rate gt 20
+    acl xmlrpc_rate_abuse sc0_http_req_rate gt 20
 
     # Rate limiting for non-WordPress authentication endpoints
     http-request deny if is_login auth_abuse
     http-request deny if is_api_auth auth_abuse
-    http-request deny if xmlrpc_abuse !legitimate_bot !wordpress_app
+    http-request deny if is_xmlrpc xmlrpc_rate_abuse !legitimate_bot !wordpress_app
 
     # 8. HAProxy 3.0.11 Enhanced Logging with Threat Intelligence
     http-request capture var(txn.real_ip) len 40