From b2a1ab6fd94e37f0b1b2d71c33fd87eea5594751 Mon Sep 17 00:00:00 2001 From: Alex Denes Date: Fri, 8 Nov 2024 09:00:54 +0000 Subject: [PATCH] Add more error pages and track connections to rate limit --- config/haproxy/APKBUILD | 4 ++-- config/haproxy/main.cfg | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/config/haproxy/APKBUILD b/config/haproxy/APKBUILD index 8b91686..47d8a09 100644 --- a/config/haproxy/APKBUILD +++ b/config/haproxy/APKBUILD @@ -3,7 +3,7 @@ . ../APKBUILD-config.template -pkgrel=0 +pkgrel=3 depends="redxen-secret-letsencrypt-full redxen-data-haproxy-errorpages" checkdepends="haproxy" source="main.cfg" @@ -14,5 +14,5 @@ check() { } sha512sums=" -4a5969cbd6297d5c7cdb466efaf360679a7d993f59b3ec0fa7ebdaf9a7cd6c7b9b30c60d0e4b67f865b33e1f16ae59cd30819098b057fddbe0d0d245f1a25826 main.cfg +5bef0e00aa130980a16d3050c4b1d0de06b7e5f8651eecb03a8c67beeb53fff8cb3d71d057fa8a74c62b966f978db7e744f205b0e543da847e30ea3da809c239 main.cfg " diff --git a/config/haproxy/main.cfg b/config/haproxy/main.cfg index 2a9472a..2dfc20e 100644 --- a/config/haproxy/main.cfg +++ b/config/haproxy/main.cfg @@ -30,10 +30,20 @@ defaults default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check + errorfile 200 /etc/redxen/haproxy/errorpages/200.http errorfile 400 /etc/redxen/haproxy/errorpages/400.http + errorfile 401 /etc/redxen/haproxy/errorpages/401.http errorfile 403 /etc/redxen/haproxy/errorpages/403.http + errorfile 404 /etc/redxen/haproxy/errorpages/404.http + errorfile 405 /etc/redxen/haproxy/errorpages/405.http + errorfile 407 /etc/redxen/haproxy/errorpages/407.http errorfile 408 /etc/redxen/haproxy/errorpages/408.http + errorfile 410 /etc/redxen/haproxy/errorpages/410.http + errorfile 413 /etc/redxen/haproxy/errorpages/413.http + errorfile 425 /etc/redxen/haproxy/errorpages/425.http + errorfile 429 /etc/redxen/haproxy/errorpages/429.http errorfile 500 /etc/redxen/haproxy/errorpages/500.http + errorfile 501 /etc/redxen/haproxy/errorpages/501.http errorfile 502 /etc/redxen/haproxy/errorpages/502.http errorfile 503 /etc/redxen/haproxy/errorpages/503.http errorfile 504 /etc/redxen/haproxy/errorpages/504.http @@ -68,6 +78,10 @@ frontend http bind ipv4@:443,ipv6@:443 ssl crt /etc/redxen/letsencrypt/full.crt alpn h2,http/1.1 bind ipv4@:80,ipv6@:80 + stick-table type ipv6 size 100k expire 1h store http_req_rate(1m) + http-request track-sc0 src + http-request deny deny_status 429 if { sc_http_req_rate(0) gt 120 } + http-response set-header X-Forwarded-Proto https http-response set-header X-XSS-Protection 1;\ mode=block http-response set-header X-Content-Type-Options nosniff