From f3569402d36e90108257c239a2dbb47a0ef15fc4 Mon Sep 17 00:00:00 2001 From: jknapp Date: Sat, 23 Aug 2025 18:36:02 -0700 Subject: [PATCH] Fix HAProxy 3.0 stick-table and ACL syntax errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove duplicate http_err_rate entries (only one period allowed) - Simplify to single http_err_rate(10s) for burst detection - Fix sc0_http_err_rate ACL syntax (remove period argument) - Replace time-based sustained/persistent attack detection with counter-based thresholds - Use gpc0 counter thresholds for sustained (>=15) and persistent (>=30) attack detection This resolves the configuration errors in HAProxy 3.0.11 while maintaining effective exploit scanning protection through counter-based detection. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- CLAUDE.md | 3 ++- templates/hap_listener.tpl | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index f1a59e8..27a9bd5 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -78,4 +78,5 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co - Designed to run as Docker container with persistent volumes for certificates and configurations - Exposes ports 80 (HTTP), 443 (HTTPS), and 8000 (management API/UI) - Management interface on port 8000 should be firewall-protected in production -- Supports deployment on servers with git directory at `/root/whp` and web file sync via rsync to `/docker/whp/web/` \ No newline at end of file +- Supports deployment on servers with git directory at `/root/whp` and web file sync via rsync to `/docker/whp/web/` +- HAProxy is version 3.0.11 \ No newline at end of file diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl index 97a892f..66a8f17 100644 --- a/templates/hap_listener.tpl +++ b/templates/hap_listener.tpl @@ -7,7 +7,7 @@ frontend web # Stick table for tracking attacks with escalating timeouts # gpc0 = total scan attempts # gpc1 = escalation level (0=none, 1=level1, 2=level2, 3=level3) - stick-table type ip size 200k expire 2h store gpc0,gpc1,http_err_rate(30s),http_err_rate(300s),http_err_rate(3600s) + stick-table type ip size 200k expire 2h store gpc0,gpc1,http_err_rate(10s) # Whitelist trusted networks and monitoring systems acl trusted_networks src 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 @@ -32,9 +32,9 @@ frontend web acl critical_threat sc0_get_gpc0 ge 50 # Rate-based detection (burst attacks) - acl burst_attack sc0_http_err_rate(30s) gt 8 # >8 errors in 30 seconds - acl sustained_attack sc0_http_err_rate(300s) gt 3 # >3 errors/min for 5 minutes - acl persistent_attack sc0_http_err_rate(3600s) gt 1 # >1 error/min for 1 hour + acl burst_attack sc0_http_err_rate gt 8 # >8 errors in 10 seconds + acl sustained_attack sc0_get_gpc0 ge 15 # Multiple sustained errors + acl persistent_attack sc0_get_gpc0 ge 30 # Persistent scanning # Escalation levels (tracks how many times we've escalated this IP) acl escalation_level_0 sc0_get_gpc1 eq 0