Commit Graph

  • 7732e2a2ff chore(log): downgrade "no backend name" domain-skip from WARNING to INFO main shadowdao 2026-07-02 05:50:22 -07:00
  • 89c74c10cf fix(supervisor): restart haproxy in-place if it dies while container lives shadowdao 2026-07-01 09:07:11 -07:00
  • 1b557b9931 feat(waf): wp-login cookie challenge (defeats distributed credential-stuffing) shadowdao 2026-06-24 20:30:12 -07:00
  • 6ced2f8797 feat(waf): edge brute-force throttle for wp-login.php shadowdao 2026-06-24 19:52:52 -07:00
  • 3917b6d1ae feat(templates): add hap_backend_longlived override template shadowdao 2026-06-24 13:40:11 -07:00
  • d9cc5311de feat(quic): enable HTTP/3 over QUIC on the edge + versioned images shadowdao 2026-06-24 13:40:11 -07:00
  • f1c1954378 fix(blocked-ips): correct map format + worker socket in manage-blocked-ips.sh shadowdao 2026-06-24 13:40:11 -07:00
  • e190ca9f8e Merge pull request 'Add hap_backend_websocket.tpl long-lived/websocket backend template' (#5) from add-websocket-backend-template into main jknapp 2026-06-18 18:57:30 +00:00
  • a204a44d42 Add hap_backend_websocket.tpl long-lived/websocket backend template shadowdao 2026-06-18 11:56:27 -07:00
  • 04c98b1c1b docker: set image.source label to GitHub mirror for ghcr.io linking shadowdao 2026-06-03 11:24:26 -07:00
  • 1ff51da6f0 sanitize public mirror: drop personal IP and infra/customer hostnames shadowdao 2026-06-04 06:32:15 -07:00
  • 158ad3bde8 ci: mirror image pushes to ghcr.io/shadowdao (#3) jknapp 2026-06-03 17:08:35 +00:00
  • 8b74cd5a4e ci: mirror image pushes to ghcr.io/shadowdao shadowdao 2026-06-03 10:08:19 -07:00
  • eb3658b68e docs: add haproxy-manager-deploy skill shadowdao 2026-05-15 06:02:56 -07:00
  • 83fee2ff78 waf-block page: escape literal % as %% (HAProxy lf-file expansion) shadowdao 2026-05-15 05:48:14 -07:00
  • fedb025fb8 waf-block: render a real HTML page on Coraza-denied requests shadowdao 2026-05-15 05:41:16 -07:00
  • 6448cffb91 haproxy: use req.hdr_ip for real-IP resolution (string-IP crashed Coraza SPOA) shadowdao 2026-05-14 08:57:05 -07:00
  • 47b9c87e1d coraza: pass var(txn.real_ip) instead of src to Coraza (real client IP in WAF logs) shadowdao 2026-05-14 08:52:01 -07:00
  • 8d04fe43fd coraza: pin go.mod to 1.23 (matches go mod tidy output; Dockerfile still uses 1.25 image) shadowdao 2026-05-14 08:08:38 -07:00
  • 99dfe98aaf coraza: pre-CRS Include for runtime per-host exemptions (load-order fix) shadowdao 2026-05-14 07:55:51 -07:00
  • e2290192f3 coraza: ship rules-catalog.json generated from bundled CRS at build time shadowdao 2026-05-14 06:57:42 -07:00
  • 2e19513851 coraza: reserve rule-ID range 990000000-990999999 for WHP-generated rules shadowdao 2026-05-14 06:53:37 -07:00
  • de221a1326 coraza: add second Include for runtime-managed local-overrides.conf shadowdao 2026-05-14 06:51:24 -07:00
  • e1d479b74e coraza: drop 913xxx scanner-UA from enforce list (FP on Mastodon + SiteLock) shadowdao 2026-05-13 19:13:22 -07:00
  • 131284fd0c refactor(suspension): serve via /suspended route on default-backend, drop bk_suspended shadowdao 2026-05-13 12:08:45 -07:00
  • edb02d6206 fix(suspended): tolerate startup DNS failure + use docker_dns resolvers shadowdao 2026-05-13 11:52:50 -07:00
  • c4a9d9d7e6 feat(suspension): opt-in routing for suspended hosts via bk_suspended backend shadowdao 2026-05-13 11:46:18 -07:00
  • 657584c88e coraza: promote 920440 + 930130 to enforce list (empirical detect-only data) shadowdao 2026-05-12 18:00:21 -07:00
  • 4262b24b7e fix(coraza): add deny rules that act on Coraza's verdict + spop-check on backend shadowdao 2026-05-12 17:16:03 -07:00
  • ddb4c20073 fix(coraza-spoe): match upstream's required spoe shape (groups, arg order, names) shadowdao 2026-05-12 17:12:09 -07:00
  • 69bed61697 fix(coraza-spoe): collapse args to one line + ensure trailing LF on spoe cfg shadowdao 2026-05-12 17:07:12 -07:00
  • fed3457f29 fix(coraza): ensure haproxy.cfg ends with LF when SPOE backend appended shadowdao 2026-05-12 17:03:56 -07:00
  • df56321167 fix(template): strip Jinja2 whitespace so no-env-var listener is byte-identical shadowdao 2026-05-12 16:59:40 -07:00
  • a89cdab886 PR 2/3: opt-in SPOE integration for Coraza WAF shadowdao 2026-05-12 16:49:29 -07:00
  • b359af15e5 ci: mirror golang:1.25 alongside python:3.12-slim, switch coraza-spoa FROM shadowdao 2026-05-12 16:40:42 -07:00
  • 9b329fa52b PR 1/3: add coraza-spoa sidecar image shadowdao 2026-05-12 16:28:44 -07:00
  • fd79ac2b70 ci: add weekly Gitea Action to mirror python:3.12-slim into in-house registry shadowdao 2026-05-12 16:18:32 -07:00
  • e11d8c4269 ci: mirror python:3.12-slim into in-house registry shadowdao 2026-05-12 16:08:44 -07:00
  • c22d2cd1f4 swap werkzeug dev server for gunicorn + accept all HTTP methods on default/blocked pages shadowdao 2026-05-12 15:24:28 -07:00
  • be3bc040df feat: clear stale certbot lock files before each ACME run + at startup shadowdao 2026-05-09 12:09:19 -07:00
  • 873048e837 feat(api/ssl/bundle): clean up superseded lineages after issuance shadowdao 2026-05-09 11:58:21 -07:00
  • c931e54d4d feat(api): add /api/ssl/bundle for per-site SAN cert issuance shadowdao 2026-05-09 11:32:15 -07:00
  • 3770dae20f Self-heal trusted IP whitelist files at startup shadowdao 2026-04-30 10:02:16 -07:00
  • b5bb141899 Fix resolvers block placement — must be outside global section shadowdao 2026-04-02 05:18:48 -07:00
  • 5ebc3fb8e8 Add DNS resolver for automatic container IP re-resolution shadowdao 2026-04-01 22:27:07 -07:00
  • df758a3fde Don't abort cert renewal when a single domain fails shadowdao 2026-04-01 15:17:15 -07:00
  • fbb94e6dc3 Update CLAUDE.md with HAProxy hardening and AI log monitor docs shadowdao 2026-04-01 08:16:44 -07:00
  • 58bb5b4f18 Fix: remove comments from trusted IP files breaking HAProxy startup shadowdao 2026-03-31 14:19:29 -07:00
  • 68a6f1bc27 Raise rate limits further for media-heavy sites shadowdao 2026-03-31 14:12:24 -07:00
  • 5bdc95109e Raise rate limit thresholds to avoid false positives on normal traffic shadowdao 2026-03-31 14:10:53 -07:00
  • 978f173814 Add trusted IP whitelist for rate limit bypass shadowdao 2026-03-31 13:39:41 -07:00
  • 2ba8f87c2c Raise connection rate limit from 60 to 150 per 10s shadowdao 2026-03-31 12:25:53 -07:00
  • a3b19ce352 Add rate limiting, connection limits, and timeout hardening shadowdao 2026-03-31 10:00:53 -07:00
  • 94af4e47c1 Add Host header capture to frontend for connection debugging shadowdao 2026-02-26 15:31:14 -08:00
  • 124a5373d2 Fix wildcard SSL cert: find certbot -NNNN dirs and use _wildcard_ filename shadowdao 2026-02-20 06:38:28 -08:00
  • 657cd28344 Fix certbot hook script paths and add logging shadowdao 2026-02-20 06:18:14 -08:00
  • 91c92dd07e Add wildcard domain support with DNS-01 ACME challenge flow shadowdao 2026-02-19 13:04:32 -08:00
  • 6cd64295d2 Add separate SSE backend for secure Server-Sent Events support shadowdao 2025-12-26 13:48:24 -08:00
  • eadd6b798f Adding support for SSE Streaming shadowdao 2025-12-26 13:07:29 -08:00
  • 6902daaea1 Add automatic SSE detection and support to backend template shadowdao 2025-12-26 13:02:04 -08:00
  • 1fcb25bb88 Update SQL logic to update instead of delete and re-add shadowdao 2025-12-18 12:23:06 -08:00
  • bff18d358b Remove set -e and database dependency from certificate scripts shadowdao 2025-11-21 08:50:24 -08:00
  • 1d22d789b8 Simplify certificate renewal scripts and add certbot cleanup shadowdao 2025-11-20 09:56:56 -08:00
  • adc20d6d0b Improve certificate renewal script with atomic file updates shadowdao 2025-11-19 19:27:40 -08:00
  • 71f4b9ef05 Add CIDR notation support for IP blocking shadowdao 2025-11-17 12:07:32 -08:00
  • 8d732318b4 Fix certificate renewal to properly update HAProxy combined certificate files shadowdao 2025-11-11 20:10:58 -08:00
  • 7eeba0d718 Remove ACL-based security protections to eliminate false positives shadowdao 2025-11-03 15:35:25 -08:00
  • 76b2e85ca8 Fix certificate renewal cron job and add host-side scheduling shadowdao 2025-10-28 17:36:48 -07:00
  • 288f4eb8a9 adding net-tools to allow connection number tracking shadowdao 2025-10-09 18:42:44 -07:00
  • 8636b69ee1 Fix AWK syntax errors in monitoring scripts shadowdao 2025-09-22 19:42:54 -07:00
  • 4c4e99883b Fix table reference and log-format response header issues shadowdao 2025-09-22 18:49:50 -07:00
  • b293588eef Fix log-format multiline syntax causing parsing errors shadowdao 2025-09-22 18:45:43 -07:00
  • b55a2fa691 Fix ACL compound reference error for xmlrpc abuse detection shadowdao 2025-09-22 18:39:37 -07:00
  • 2889fda014 Fix HAProxy 3.0.11 variable comparison syntax in conditions shadowdao 2025-09-22 18:34:45 -07:00
  • 78ebfef497 Fix HAProxy 3.0.11 syntax errors in security templates shadowdao 2025-09-22 18:17:36 -07:00
  • cfabd39727 Implement HAProxy 3.0.11 enterprise-grade security enhancements shadowdao 2025-09-22 17:51:44 -07:00
  • 0ee9e6cba8 Remove all ACL-to-ACL references for HAProxy 3.0.11 compatibility shadowdao 2025-09-22 17:44:44 -07:00
  • ee8223c25f Complete HAProxy 3.0.11 syntax fixes for ACL and sc-inc errors shadowdao 2025-09-22 17:37:16 -07:00
  • 65248680a5 Fix HAProxy 3.0.11 compatibility issues shadowdao 2025-09-22 17:29:32 -07:00
  • 0a75d1b44e Implement advanced threat scoring and multi-table security system shadowdao 2025-09-22 17:13:26 -07:00
  • e2f350ce95 Add comprehensive anti-scan and brute force protection shadowdao 2025-09-22 16:50:35 -07:00
  • 002e79b565 Fix cron entry syntax in Dockerfile for HAProxy reload shadowdao 2025-09-22 14:49:45 -07:00
  • 402c48b4a0 Remove 40X rate limiting from HAProxy to prevent false positives shadowdao 2025-08-30 08:54:55 -07:00
  • 8c7031fd6d Fix HAProxy ACL syntax errors in backend templates shadowdao 2025-08-25 12:45:13 -07:00
  • 31801a6c1d Make scan detection more targeted to avoid false positives shadowdao 2025-08-25 12:39:15 -07:00
  • 6a4379c4a1 Add safeguards to prevent false positive blocking shadowdao 2025-08-25 11:09:57 -07:00
  • e54b4b4afe Implement progressive protection: tarpit → silent-drop → block shadowdao 2025-08-25 06:42:09 -07:00
  • 0a4995266c Simplify tarpit implementation for HAProxy 3.0 compatibility shadowdao 2025-08-25 06:33:21 -07:00
  • 2cd1db7461 Fix HAProxy 3.0 tarpit timeout syntax error shadowdao 2025-08-25 06:17:08 -07:00
  • b88da4c58f Implement HAProxy tarpit escalation and CLI monitoring shadowdao 2025-08-24 19:33:10 -07:00
  • 948fdecf52 Update all backend templates with real IP forwarding and scan detection shadowdao 2025-08-24 06:59:26 -07:00
  • 2b31fb9f4f Add real client IP detection for proxy/CDN environments shadowdao 2025-08-24 06:51:00 -07:00
  • 5ce4f910c2 Fix tarpit to only apply AFTER backend error responses shadowdao 2025-08-23 18:48:21 -07:00
  • de3a68b59c Fix tarpit applying to all connections - use proper threat ranges shadowdao 2025-08-23 18:44:19 -07:00
  • f3569402d3 Fix HAProxy 3.0 stick-table and ACL syntax errors shadowdao 2025-08-23 18:36:02 -07:00
  • 99435ee3e0 Fix HAProxy 3.0 compatibility issues in tarpit configuration shadowdao 2025-08-23 18:30:34 -07:00
  • 1eed03a3b6 Add HAProxy tarpit escalation for exploit scanning protection shadowdao 2025-08-23 18:09:28 -07:00
  • 2406d9f995 Add 403 status to blocked IP page and reload HAProxy on IP block/unblock shadowdao 2025-08-22 10:06:04 -07:00
  • 15c7f40b2e Fix bug with haproxy config for blocked address shadowdao 2025-08-22 09:48:24 -07:00
  • 58fa6d8aba Update blocked IP handling to use custom blocked page with 403 status shadowdao 2025-08-22 08:36:57 -07:00