haproxy/examples/tarpit.cfg

# This configuration is an example of how to use connection tarpitting based
# on invalid requests.

global
        daemon
        log 127.0.0.1 local0

listen  frontend 0.0.0.0:80
        mode    http
        option  httplog
        log     global
        maxconn 10000

	# do not log requests with no data
        option  dontlognull

	# log as soon as the server starts to respond, an do not wait for the
	# end of the data transfer.
        option  logasap

	# disable keep-alive
        option  httpclose

	# load balancing mode set to round-robin
        balance roundrobin

        # the maxconn 150 below means 150 connections maximum will be used
        # on apache, the remaining ones will be queued.
	server  apache1 127.0.0.1:80 maxconn 150

        # use short timeouts for client and server
        clitimeout      20000
        srvtimeout      20000

	# the connect timeout should be large because it will also be used
	# to define the queue timeout and the tarpit timeout. It generally
	# is a good idea to set it to the same value as both above, and it
	# will improve performance when dealing with thousands of connections.
        contimeout      20000

	# retry only once when a valid connection fails because the server
	# is overloaded.
        retries 1

        # You might want to enable this option if the attacks start
        # targetting valid URLs.
        # option abortonclose

	# not needed anymore.
	#capture request header X-Forwarded-For len 15

	# and add a new 'X-Forwarded-For: IP'	
        option  forwardfor

	# how to access the status reporting web interface
        stats uri /stat
        stats auth stat:stat

	# Request header and URI processing begins here.

	# rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'
        reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2

	#### Now check the URI for requests we want to tarpit ###
	# We do not analyze headers, we just focus on the request
	reqpass ^[^:\ ]*:

	# Tarpit those URIs for any method
        reqtarpit  ^[^:\ ]*\ /invalid_req1
        reqtarpit  ^[^:\ ]*\ /cgi-bin/.*\.pl\?
        reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp)
[DOC] add docs and examples of tarpit configuration 2006-09-03 08:19:38 +00:00			`# This configuration is an example of how to use connection tarpitting based`
			`# on invalid requests.`

			`global`
			`daemon`
			`log 127.0.0.1 local0`

			`listen frontend 0.0.0.0:80`
			`mode http`
			`option httplog`
			`log global`
			`maxconn 10000`

			`# do not log requests with no data`
			`option dontlognull`

			`# log as soon as the server starts to respond, an do not wait for the`
			`# end of the data transfer.`
			`option logasap`

			`# disable keep-alive`
			`option httpclose`

			`# load balancing mode set to round-robin`
			`balance roundrobin`

			`# the maxconn 150 below means 150 connections maximum will be used`
			`# on apache, the remaining ones will be queued.`
			`server apache1 127.0.0.1:80 maxconn 150`

			`# use short timeouts for client and server`
			`clitimeout 20000`
			`srvtimeout 20000`

			`# the connect timeout should be large because it will also be used`
			`# to define the queue timeout and the tarpit timeout. It generally`
			`# is a good idea to set it to the same value as both above, and it`
			`# will improve performance when dealing with thousands of connections.`
			`contimeout 20000`

			`# retry only once when a valid connection fails because the server`
			`# is overloaded.`
			`retries 1`

			`# You might want to enable this option if the attacks start`
			`# targetting valid URLs.`
			`# option abortonclose`

			`# not needed anymore.`
			`#capture request header X-Forwarded-For len 15`

			`# and add a new 'X-Forwarded-For: IP'`
			`option forwardfor`

			`# how to access the status reporting web interface`
			`stats uri /stat`
			`stats auth stat:stat`

			`# Request header and URI processing begins here.`

			`# rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'`
			`reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2`

			`#### Now check the URI for requests we want to tarpit ###`
			`# We do not analyze headers, we just focus on the request`
			`reqpass ^[^:\ ]*:`

			`# Tarpit those URIs for any method`
			`reqtarpit ^[^:\ ]*\ /invalid_req1`
			`reqtarpit ^[^:\ ]\ /cgi-bin/.\.pl\?`
			`reqitarpit ^[^:\ ]\ /.\.(dll\|exe\|asp)`