cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ce4f910c266490c96900dfff92317148434ce6f
haproxy-manager-base/templates/hap_backend.tpl
jknapp 5ce4f910c2
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
Details
Fix tarpit to only apply AFTER backend error responses 
Corrected the tarpit logic flow to work as intended:

1. Backend tracks 400/401/403/404 error responses via http-response
2. Counter increments AFTER the backend responds with an error
3. Frontend checks counter on SUBSEQUENT requests
4. Tarpit/blocking only applies after error thresholds are reached:
   - 5+ errors: Potential scanner (no action yet)
   - 15+ errors: Likely scanner (tarpit if also burst traffic)
   - 30+ errors: Confirmed scanner (always tarpit)
   - 50+ errors: Aggressive scanner (block with 429)

This ensures:
- Normal traffic is never delayed
- First requests always go through normally
- Only clients that accumulate errors get progressively slowed/blocked
- The tarpit is a response to bad behavior, not a preemptive measure

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-23 18:48:21 -07:00

27 lines
1.1 KiB
Smarty
Raw Blame History

backend {{ name }}-backend
option forwardfor
http-request add-header X-CLIENT-IP %[src]
{% if ssl_enabled %}http-request set-header X-Forwarded-Proto https if { ssl_fc }{% endif %}
# Define scanning attempt patterns
acl is_404_error status 404
acl is_403_error status 403
acl is_401_error status 401
acl is_400_error status 400
acl is_scan_attempt status 400 401 403 404
# Additional suspicious patterns
acl suspicious_path path_reg -i \.(php|asp|aspx|jsp|cgi)$
acl suspicious_path path_reg -i /(wp-admin|phpmyadmin|admin|login|xmlrpc)
acl suspicious_path path_reg -i \.(env|git|svn|backup|bak|old)
# Track scan attempts in the frontend stick table
# This increments the counter AFTER the backend responds with an error
# The frontend will check this counter on SUBSEQUENT requests
http-response sc-inc-gpc0(0) if is_scan_attempt
{% for server in servers %}
server {{ server.server_name }} {{ server.server_address }}:{{ server.server_port }} {{ server.server_options }}
{% endfor %}
Reference in New Issue View Git Blame Copy Permalink