All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Implement progressive tarpit delays and threat detection to slow down attackers scanning for exploits. Features include: - Stick table to track attacks with 2-hour expiry - Escalating tarpit delays based on threat level and repeat offenses - Threat level detection (low/medium/high/critical) based on scan attempts - Rate-based attack detection for burst/sustained/persistent attacks - Automatic scan attempt tracking via HTTP error responses (400/401/403/404) - Detection of suspicious paths (admin panels, config files, etc.) - Trusted network bypass for local/monitoring systems - Progressive escalation levels that increase tarpit duration - Critical threat blocking with 429 status The system uses HAProxy's built-in tarpit mechanism to delay responses up to 60 seconds for persistent attackers, effectively slowing down vulnerability scanners while maintaining service for legitimate users. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
50 lines
1.7 KiB
Smarty
50 lines
1.7 KiB
Smarty
#---------------------------------------------------------------------
|
|
# Global settings
|
|
#---------------------------------------------------------------------
|
|
global
|
|
# to have these messages end up in /var/log/haproxy.log you will
|
|
# need to:
|
|
#
|
|
# 1) configure syslog to accept network log events. This is done
|
|
# by adding the '-r' option to the SYSLOGD_OPTIONS in
|
|
# /etc/sysconfig/syslog
|
|
#
|
|
# 2) configure local2 events to go to the /var/log/haproxy.log
|
|
# file. A line like the following can be added to
|
|
# /etc/sysconfig/syslog
|
|
#
|
|
# local2.* /var/log/haproxy.log
|
|
#
|
|
log 127.0.0.1 local2
|
|
|
|
chroot /var/lib/haproxy
|
|
pidfile /var/run/haproxy.pid
|
|
maxconn 4000
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
#---------------------------------------------------------------------
|
|
# common defaults that all the 'listen' and 'backend' sections will
|
|
# use if not designated in their block
|
|
#---------------------------------------------------------------------
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option http-server-close
|
|
option forwardfor #except 127.0.0.0/8
|
|
option redispatch
|
|
retries 3
|
|
timeout http-request 300s
|
|
timeout queue 2m
|
|
timeout connect 120s
|
|
timeout client 10m
|
|
timeout server 10m
|
|
timeout http-keep-alive 120s
|
|
timeout check 10s
|
|
timeout tarpit 60s # Maximum tarpit time for exploit scanners
|
|
maxconn 3000
|
|
|