Add more error pages and track connections to rate limit

2024-11-08 09:00:54 +00:00 · 2024-11-08 09:00:54 +00:00 · b2a1ab6fd9
parent 6be6cf0eef
commit b2a1ab6fd9
2 changed files with 16 additions and 2 deletions
--- a/config/haproxy/APKBUILD
+++ b/config/haproxy/APKBUILD
@ -3,7 +3,7 @@

 . ../APKBUILD-config.template

-pkgrel=0
+pkgrel=3
 depends="redxen-secret-letsencrypt-full redxen-data-haproxy-errorpages"
 checkdepends="haproxy"
 source="main.cfg"
@ -14,5 +14,5 @@ check() {
 }

 sha512sums="
-4a5969cbd6297d5c7cdb466efaf360679a7d993f59b3ec0fa7ebdaf9a7cd6c7b9b30c60d0e4b67f865b33e1f16ae59cd30819098b057fddbe0d0d245f1a25826  main.cfg
+5bef0e00aa130980a16d3050c4b1d0de06b7e5f8651eecb03a8c67beeb53fff8cb3d71d057fa8a74c62b966f978db7e744f205b0e543da847e30ea3da809c239  main.cfg
 "
--- a/config/haproxy/main.cfg
+++ b/config/haproxy/main.cfg
@ -30,10 +30,20 @@ defaults

 	default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check

+	errorfile 200 /etc/redxen/haproxy/errorpages/200.http
 	errorfile 400 /etc/redxen/haproxy/errorpages/400.http
+	errorfile 401 /etc/redxen/haproxy/errorpages/401.http
 	errorfile 403 /etc/redxen/haproxy/errorpages/403.http
+	errorfile 404 /etc/redxen/haproxy/errorpages/404.http
+	errorfile 405 /etc/redxen/haproxy/errorpages/405.http
+	errorfile 407 /etc/redxen/haproxy/errorpages/407.http
 	errorfile 408 /etc/redxen/haproxy/errorpages/408.http
+	errorfile 410 /etc/redxen/haproxy/errorpages/410.http
+	errorfile 413 /etc/redxen/haproxy/errorpages/413.http
+	errorfile 425 /etc/redxen/haproxy/errorpages/425.http
+	errorfile 429 /etc/redxen/haproxy/errorpages/429.http
 	errorfile 500 /etc/redxen/haproxy/errorpages/500.http
+	errorfile 501 /etc/redxen/haproxy/errorpages/501.http
 	errorfile 502 /etc/redxen/haproxy/errorpages/502.http
 	errorfile 503 /etc/redxen/haproxy/errorpages/503.http
 	errorfile 504 /etc/redxen/haproxy/errorpages/504.http
@ -68,6 +78,10 @@ frontend http
 	bind ipv4@:443,ipv6@:443 ssl crt /etc/redxen/letsencrypt/full.crt alpn h2,http/1.1
 	bind ipv4@:80,ipv6@:80

+	stick-table type ipv6 size 100k expire 1h store http_req_rate(1m)
+	http-request track-sc0 src
+	http-request deny deny_status 429 if { sc_http_req_rate(0) gt 120 }
+
 	http-response set-header X-Forwarded-Proto https
 	http-response set-header X-XSS-Protection 1;\ mode=block
 	http-response set-header X-Content-Type-Options nosniff