32 Commits

Author SHA1 Message Date
b88da4c58f Implement HAProxy tarpit escalation and CLI monitoring
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
- Add full tarpit escalation logic with gpc1 tracking (levels 0-3)
- Implement progressive delays: 2-5s → 8-15s → 20-45s → 60s
- Increase initial threshold from 5 to 10 errors (more tolerant)
- Reduce tracking duration from 2h to 1h (faster cleanup)
- Add show-tarpit-ips.sh script for monitoring tarpitted IPs via CLI
- Script shows IP, scan count, escalation level, and tarpit status

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-24 19:33:10 -07:00
948fdecf52 Update all backend templates with real IP forwarding and scan detection
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Extends the tarpit protection and real IP handling to all backend templates,
ensuring consistent behavior across different backend configurations.

Changes to all backend templates:
- Pass real client IP via X-CLIENT-IP and X-Real-IP headers
- Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct)
- Add scan attempt detection (400/401/403/404 errors)
- Track suspicious paths (admin panels, config files, etc.)
- Increment error counters for tarpit decisions

Updated templates:
- hap_backend.tpl: Main backend template
- hap_backend_http_check.tpl: Backend with HTTP health checks
- hap_backend_basic.tpl: Minimal backend configuration

Benefits:
- Backend applications receive the real client IP, not proxy IPs
- All backend types now contribute to scan detection
- Consistent security across different backend configurations
- Works seamlessly with Cloudflare and other CDNs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-24 06:59:26 -07:00
2b31fb9f4f Add real client IP detection for proxy/CDN environments
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Implements smart client IP detection to handle Cloudflare and other reverse
proxies correctly, preventing legitimate traffic from being tarpited when
behind a shared proxy IP.

Changes:
- Detect real client IP from proxy headers with priority order:
  1. CF-Connecting-IP (Cloudflare)
  2. X-Real-IP (common proxy header)
  3. X-Forwarded-For (standard proxy header)
  4. src (fallback to source IP if no headers)
- Track real client IP in stick-table instead of proxy IP
- Check real client IP for blocking rules
- No need to maintain proxy IP lists - works automatically

This ensures that:
- Cloudflare and other CDN traffic is tracked per real client
- Each actual user gets their own tarpit counter
- Legitimate users aren't affected by attackers on the same proxy
- Works automatically with any proxy that sets standard headers

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-24 06:51:00 -07:00
5ce4f910c2 Fix tarpit to only apply AFTER backend error responses
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Corrected the tarpit logic flow to work as intended:

1. Backend tracks 400/401/403/404 error responses via http-response
2. Counter increments AFTER the backend responds with an error
3. Frontend checks counter on SUBSEQUENT requests
4. Tarpit/blocking only applies after error thresholds are reached:
   - 5+ errors: Potential scanner (no action yet)
   - 15+ errors: Likely scanner (tarpit if also burst traffic)
   - 30+ errors: Confirmed scanner (always tarpit)
   - 50+ errors: Aggressive scanner (block with 429)

This ensures:
- Normal traffic is never delayed
- First requests always go through normally
- Only clients that accumulate errors get progressively slowed/blocked
- The tarpit is a response to bad behavior, not a preemptive measure

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-23 18:48:21 -07:00
de3a68b59c Fix tarpit applying to all connections - use proper threat ranges
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 50s
The previous configuration was tarpiting all connections because the ACLs
were overlapping (e.g., low_threat >= 3 would match everything above 3).

Changes:
- Add proper range checks for threat levels (e.g., >= 3 AND < 10 for low)
- Simplify tarpit logic to only apply when scan attempts are detected
- Remove complex escalation levels (not working properly in HAProxy 3.0)
- Only tarpit connections with 3+ scan attempts or burst attacks
- Critical threats (50+ attempts) get immediate 429 block

This ensures normal traffic flows through without delay while actual
scanners and attackers get tarpited based on their behavior.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-23 18:44:19 -07:00
f3569402d3 Fix HAProxy 3.0 stick-table and ACL syntax errors
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
- Remove duplicate http_err_rate entries (only one period allowed)
- Simplify to single http_err_rate(10s) for burst detection
- Fix sc0_http_err_rate ACL syntax (remove period argument)
- Replace time-based sustained/persistent attack detection with counter-based thresholds
- Use gpc0 counter thresholds for sustained (>=15) and persistent (>=30) attack detection

This resolves the configuration errors in HAProxy 3.0.11 while maintaining
effective exploit scanning protection through counter-based detection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-23 18:36:02 -07:00
99435ee3e0 Fix HAProxy 3.0 compatibility issues in tarpit configuration
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 50s
- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-23 18:30:34 -07:00
1eed03a3b6 Add HAProxy tarpit escalation for exploit scanning protection
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Implement progressive tarpit delays and threat detection to slow down
attackers scanning for exploits. Features include:

- Stick table to track attacks with 2-hour expiry
- Escalating tarpit delays based on threat level and repeat offenses
- Threat level detection (low/medium/high/critical) based on scan attempts
- Rate-based attack detection for burst/sustained/persistent attacks
- Automatic scan attempt tracking via HTTP error responses (400/401/403/404)
- Detection of suspicious paths (admin panels, config files, etc.)
- Trusted network bypass for local/monitoring systems
- Progressive escalation levels that increase tarpit duration
- Critical threat blocking with 429 status

The system uses HAProxy's built-in tarpit mechanism to delay responses
up to 60 seconds for persistent attackers, effectively slowing down
vulnerability scanners while maintaining service for legitimate users.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-23 18:09:28 -07:00
15c7f40b2e Fix bug with haproxy config for blocked address
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
2025-08-22 09:48:24 -07:00
58fa6d8aba Update blocked IP handling to use custom blocked page with 403 status
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m17s
**Template Changes:**
- Switch from direct denial to blocked page redirect with 403 status
- Blocked IPs now see /blocked-ip page instead of generic 403 denial
- Maintains proper 403 HTTP status code for blocked requests

**Blocked Page Updates:**
- Remove contact support button to prevent misuse
- Add clear instructions on how to request unblocking
- Provide structured guidance for contacting hosting provider
- Maintain professional appearance with helpful information

**Benefits:**
- Better user experience for legitimate blocks
- Clear instructions prevent support confusion
- Maintains security while being informative
- Professional appearance reflects well on hosting providers

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-22 08:36:57 -07:00
7869b81f27 CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
-  Unlimited IP addresses (no word limits)
-  Runtime updates without config reloads
-  Better performance (hash table vs linear search)
-  Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-22 08:31:17 -07:00
ca37a68255 Add IP blocking functionality to HAProxy Manager
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m1s
- Add blocked_ips database table to store blocked IP addresses
- Implement API endpoints for IP blocking management:
  - GET /api/blocked-ips: List all blocked IPs
  - POST /api/blocked-ips: Block an IP address
  - DELETE /api/blocked-ips: Unblock an IP address
- Update HAProxy configuration generation to include blocked IP ACLs
- Create blocked IP page template for denied access
- Add comprehensive API documentation for WHP integration
- Include test script for IP blocking functionality
- Update .gitignore with Python patterns
- Add CLAUDE.md for codebase documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-21 18:32:47 -07:00
a7ce40f600 Fix server configuration templates - add proper newlines between server entries
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 40s
2025-07-13 01:21:19 -07:00
fac6cef0db Fix HAProxy 2.6 compatibility for default backend
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response
2025-07-11 19:27:42 -07:00
27f3f8959b Add default backend page for unmatched domains
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
- Add default backend template (hap_default_backend.tpl)
- Add customizable default page HTML template (default_page.html)
- Modify generate_config() to include default backend for unmatched domains
- Add environment variables for customizing default page content:
  - HAPROXY_DEFAULT_PAGE_TITLE
  - HAPROXY_DEFAULT_MAIN_MESSAGE
  - HAPROXY_DEFAULT_SECONDARY_MESSAGE
- Update README with documentation and examples
- Ensure backward compatibility with existing configurations
- Remove email contact link as requested
2025-07-11 19:10:05 -07:00
64c707317f Adding reload function and more tweaks for backends
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 48s
2025-03-09 10:59:03 -07:00
7e53ba00d8 update again for GET Method
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
2025-03-07 19:29:20 -08:00
2c66b1bf40 fix method to GET instead of POST
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 36s
2025-03-07 19:13:41 -08:00
edaefd9cd1 remove the extra lines at the end of the index
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 35s
2025-03-07 19:09:51 -08:00
d3dd69cc02 Adding config regenerate
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
2025-03-07 19:06:38 -08:00
c27f7fb5e8 Adding httpchk options
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
2025-03-07 17:19:22 -08:00
7b1e8a9536 Fix issue where backend was not getting created
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m39s
2025-03-06 21:03:08 -08:00
6f395fa621 fix issue with existing domains and new domains conflicting
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
2025-03-06 17:45:02 -08:00
94f9223bc7 troubleshoot errors with web interface
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 39s
2025-03-06 17:14:42 -08:00
9621786175 Adding web interface
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m18s
2025-03-06 16:51:29 -08:00
6b28c118de Adding template overrides
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
2025-02-21 08:01:16 -08:00
ff529be07f Fix Templates from causing errors with haproxy when added, Fix add notice when haproxy fails check
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
2025-02-21 06:28:51 -08:00
0357a73770 cleanup template
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
2025-02-20 17:13:25 -08:00
673265690a fix file name error
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
2025-02-20 16:32:07 -08:00
32498f1a04 fix order of acls and backends, put db in volume
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
2025-02-20 16:26:27 -08:00
305fffba42 haproxy manager 2025-02-20 13:41:38 -08:00
9c52edd53a Not fully working, but saving progress 2025-02-19 07:53:26 -08:00