cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
68 Commits 2 Branches 0 Tags
8c7031fd6db9b3df9a4c03c66df8ce1ccbeaac80
Commit Graph

5 Commits

Author SHA1 Message Date
jknapp
8c7031fd6d Fix HAProxy ACL syntax errors in backend templates
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m13s
Details 
- Remove invalid ACL combination syntax (can't use 'or' to combine ACLs)
- Use multiple http-response lines instead (each line is OR'd together)
- Each line checks specific scan pattern with 404 AND not legitimate assets
- Simplify logic to be HAProxy 3.0 compatible

This fixes the config parsing errors while maintaining the same
detection logic - only counting suspicious script/config 404s, not
missing assets.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-25 12:45:13 -07:00
jknapp
31801a6c1d Make scan detection more targeted to avoid false positives
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Details 
Major changes to prevent legitimate users from being blocked:

1. Increased thresholds significantly:
   - Initial trigger: 10 → 25 errors
   - Medium level: 20 → 40 errors
   - High level: 35 → 60 errors
   - Critical level: 50 → 100 errors

2. Only count actual scan attempts as errors:
   - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh
   - Admin paths: /wp-admin, /phpmyadmin, /adminer
   - Config files: .env, .git, .htaccess, .ini, .yml
   - Backup files: .backup, .bak, .sql, .dump
   - Known vulnerable paths: /cgi-bin, /fckeditor

3. Explicitly exclude legitimate assets from counting:
   - Images: .jpg, .png, .gif, .svg, .webp
   - Fonts: .woff, .woff2, .ttf, .eot, .otf
   - Static: .css, .js, .map, .pdf
   - Common paths: /static/, /assets/, /fonts/, /images/

4. Still count all 401/403 errors (auth failures are suspicious)

This prevents missing fonts, images, CSS files from triggering blocks
while still catching actual vulnerability scanners.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-25 12:39:15 -07:00
jknapp
948fdecf52 Update all backend templates with real IP forwarding and scan detection
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Details 
Extends the tarpit protection and real IP handling to all backend templates,
ensuring consistent behavior across different backend configurations.

Changes to all backend templates:
- Pass real client IP via X-CLIENT-IP and X-Real-IP headers
- Use var(txn.real_ip) which contains the actual client IP (from proxy headers or direct)
- Add scan attempt detection (400/401/403/404 errors)
- Track suspicious paths (admin panels, config files, etc.)
- Increment error counters for tarpit decisions

Updated templates:
- hap_backend.tpl: Main backend template
- hap_backend_http_check.tpl: Backend with HTTP health checks
- hap_backend_basic.tpl: Minimal backend configuration

Benefits:
- Backend applications receive the real client IP, not proxy IPs
- All backend types now contribute to scan detection
- Consistent security across different backend configurations
- Works seamlessly with Cloudflare and other CDNs

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-24 06:59:26 -07:00
jknapp
a7ce40f600 Fix server configuration templates - add proper newlines between server entries
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 40s
Details
2025-07-13 01:21:19 -07:00
jknapp
6b28c118de Adding template overrides
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 38s
Details
2025-02-21 08:01:16 -08:00