shadowdao
6ced2f8797
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 2m8s
The generic rate-limits are tuned high for media-heavy sites, so slow credential-stuffing on wp-login.php slips under them. Add a dedicated sc1 stick-table (backend wp_bruteforce, 60s window) that counts POSTs to wp-login.php per real client IP and tarpits once an IP exceeds 30/min. Only login POSTs are counted (browsing + the login form GET + a legit user's few attempts are unaffected); an offending IP can still browse, just not keep hammering login. Honors the existing whitelist (RFC1918 / trusted_ips.list / trusted_ips.map) and the already-resolved CF/proxy real IP. path_end also covers subdirectory WP installs. Stops attacks at the edge before they reach PHP/WordPress, on all edges regardless of Coraza mode. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
16 lines
609 B
Smarty
16 lines
609 B
Smarty
# HAProxy Stats & Monitoring
|
|
frontend stats
|
|
bind 127.0.0.1:8404
|
|
stats enable
|
|
stats uri /stats
|
|
stats refresh 30s
|
|
stats show-legends
|
|
stats show-node
|
|
|
|
# Dedicated stick-table for WordPress wp-login.php brute-force tracking.
|
|
# Tracked via track-sc1 from the `web` frontend (hap_listener.tpl); counts only
|
|
# login POSTs per real client IP over a 60s window. Separate from the generic
|
|
# sc0 connection/rate table so the login-attempt threshold is independent of
|
|
# the (much higher) flood thresholds.
|
|
backend wp_bruteforce
|
|
stick-table type ip size 100k expire 30m store http_req_rate(60s) |