jknapp
7eeba0d718
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 59s
This commit simplifies the HAProxy configuration by removing automatic threat detection and blocking rules while preserving essential functionality. Changes: - Removed all automatic ACL-based security rules (SQL injection detection, scanner detection, rate limiting, brute force protection, etc.) - Removed complex stick-table tracking with 15 GPC counters - Removed graduated threat response system (tarpit, deny based on threat scores) - Removed HTTP/2 security tuning parameters specific to threat detection - Commented out IP header forwarding in hap_backend_basic.tpl Preserved functionality: - Real client IP detection from proxy headers (CF-Connecting-IP, X-Real-IP, X-Forwarded-For) with proper fallback to source IP - Manual IP blocking via map file (/etc/haproxy/blocked_ips.map) - Runtime map updates for immediate blocking without reload - Backend IP forwarding capabilities (available in hap_backend.tpl) The configuration now focuses on manual IP blocking only, which can be managed through the API endpoints (/api/blocked-ips). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
54 lines
1.8 KiB
Smarty
54 lines
1.8 KiB
Smarty
#---------------------------------------------------------------------
|
|
# Global settings
|
|
#---------------------------------------------------------------------
|
|
global
|
|
# to have these messages end up in /var/log/haproxy.log you will
|
|
# need to:
|
|
#
|
|
# 1) configure syslog to accept network log events. This is done
|
|
# by adding the '-r' option to the SYSLOGD_OPTIONS in
|
|
# /etc/sysconfig/syslog
|
|
#
|
|
# 2) configure local2 events to go to the /var/log/haproxy.log
|
|
# file. A line like the following can be added to
|
|
# /etc/sysconfig/syslog
|
|
#
|
|
# local2.* /var/log/haproxy.log
|
|
#
|
|
log 127.0.0.1 local2
|
|
|
|
chroot /var/lib/haproxy
|
|
pidfile /var/run/haproxy.pid
|
|
maxconn 4000
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
|
|
# SSL and Performance
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
# Stats persistence for zero-downtime reloads
|
|
stats-file /var/lib/haproxy/stats.dat
|
|
#---------------------------------------------------------------------
|
|
# common defaults that all the 'listen' and 'backend' sections will
|
|
# use if not designated in their block
|
|
#---------------------------------------------------------------------
|
|
defaults
|
|
mode http
|
|
log global
|
|
option httplog
|
|
option dontlognull
|
|
option http-server-close
|
|
option forwardfor #except 127.0.0.0/8
|
|
option redispatch
|
|
retries 3
|
|
timeout http-request 300s
|
|
timeout queue 2m
|
|
timeout connect 120s
|
|
timeout client 10m
|
|
timeout server 10m
|
|
timeout http-keep-alive 120s
|
|
timeout check 10s
|
|
timeout tarpit 10s # Tarpit delay for low-level scanners (before silent-drop)
|
|
maxconn 3000
|
|
|