cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
67 Commits 2 Branches 0 Tags
31801a6c1dd471a634b3435f848f6c0144f09eaf
Commit Graph

9 Commits

Author SHA1 Message Date
jknapp
31801a6c1d Make scan detection more targeted to avoid false positives
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Details 
Major changes to prevent legitimate users from being blocked:

1. Increased thresholds significantly:
   - Initial trigger: 10 → 25 errors
   - Medium level: 20 → 40 errors
   - High level: 35 → 60 errors
   - Critical level: 50 → 100 errors

2. Only count actual scan attempts as errors:
   - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh
   - Admin paths: /wp-admin, /phpmyadmin, /adminer
   - Config files: .env, .git, .htaccess, .ini, .yml
   - Backup files: .backup, .bak, .sql, .dump
   - Known vulnerable paths: /cgi-bin, /fckeditor

3. Explicitly exclude legitimate assets from counting:
   - Images: .jpg, .png, .gif, .svg, .webp
   - Fonts: .woff, .woff2, .ttf, .eot, .otf
   - Static: .css, .js, .map, .pdf
   - Common paths: /static/, /assets/, /fonts/, /images/

4. Still count all 401/403 errors (auth failures are suspicious)

This prevents missing fonts, images, CSS files from triggering blocks
while still catching actual vulnerability scanners.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-25 12:39:15 -07:00
jknapp
6a4379c4a1 Add safeguards to prevent false positive blocking
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Details 
- Handle common missing files (favicon.ico, robots.txt) without counting as errors
- Return 404 directly from frontend for these files (bypasses backend counting)
- Add clear-ip.sh script to remove specific IPs from stick-table
- Keep trusted networks whitelist for local/private IPs

This prevents legitimate users from being blocked due to browser
requests for common files that don't exist.

Usage: ./scripts/clear-ip.sh <IP_ADDRESS>

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-25 11:09:57 -07:00
jknapp
e54b4b4afe Implement progressive protection: tarpit → silent-drop → block
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m20s
Details 
- Set tarpit timeout to 10 seconds for initial offenders
- Use silent-drop for obvious scanners (35+ errors) and repeat offenders
- Silent-drop immediately closes connection without response
- Keep 429 block for critical threats (50+ errors)

Protection levels:
- 10-19 errors: 10s tarpit
- 20-34 errors: 10s tarpit (first), silent-drop (repeat)
- 35-49 errors: silent-drop
- 50+ errors: 429 block
- Burst attacks: 10s tarpit (first), silent-drop (repeat)

Updated monitoring script to show correct status based on new logic.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-25 06:42:09 -07:00
jknapp
b88da4c58f Implement HAProxy tarpit escalation and CLI monitoring
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Details 
- Add full tarpit escalation logic with gpc1 tracking (levels 0-3)
- Implement progressive delays: 2-5s → 8-15s → 20-45s → 60s
- Increase initial threshold from 5 to 10 errors (more tolerant)
- Reduce tracking duration from 2h to 1h (faster cleanup)
- Add show-tarpit-ips.sh script for monitoring tarpitted IPs via CLI
- Script shows IP, scan count, escalation level, and tarpit status

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-24 19:33:10 -07:00
jknapp
ca37a68255 Add IP blocking functionality to HAProxy Manager
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m1s
Details 
- Add blocked_ips database table to store blocked IP addresses
- Implement API endpoints for IP blocking management:
  - GET /api/blocked-ips: List all blocked IPs
  - POST /api/blocked-ips: Block an IP address
  - DELETE /api/blocked-ips: Unblock an IP address
- Update HAProxy configuration generation to include blocked IP ACLs
- Create blocked IP page template for denied access
- Add comprehensive API documentation for WHP integration
- Include test script for IP blocking functionality
- Update .gitignore with Python patterns
- Add CLAUDE.md for codebase documentation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-21 18:32:47 -07:00
jknapp
ef488a253d Add /api/certificates/request endpoint for programmatic certificate requests, update docs and add test script
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
Details
2025-07-11 17:14:01 -07:00
jknapp
7b0b4c0476 Major upgrade: API key authentication, certificate renewal/download endpoints, monitoring/alerting scripts, improved logging, and documentation updates. See UPGRADE_SUMMARY.md for details.
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 43s
Details
2025-07-11 06:24:56 -07:00
jknapp
305fffba42 haproxy manager 2025-02-20 13:41:38 -08:00
jknapp
9c52edd53a Not fully working, but saving progress 2025-02-19 07:53:26 -08:00