EXAMPLES: remove completely outdated acl-content-sw.cfg
This config probably last worked on 1.3, maybe 1.4, but it uses too many obsolete statements and it silently errors because of the "quiet" directive, which adds to the confusion. Let's remove it.
This commit is contained in:
Willy Tarreau
parent
d5581d527c
commit
cc01730d26
|
|
@ -1,130 +0,0 @@
|
||||||
# This sample configuration makes extensive use of the ACLs. It requires
|
|
||||||
# HAProxy version 1.3.12 minimum.
|
|
||||||
|
|
||||||
global
|
|
||||||
log loghost local0
|
|
||||||
log localhost local0 err
|
|
||||||
maxconn 250
|
|
||||||
uid 71
|
|
||||||
gid 71
|
|
||||||
chroot /var/empty
|
|
||||||
pidfile /var/run/haproxy.pid
|
|
||||||
daemon
|
|
||||||
quiet
|
|
||||||
|
|
||||||
frontend http-in
|
|
||||||
bind :80
|
|
||||||
mode http
|
|
||||||
log global
|
|
||||||
clitimeout 30000
|
|
||||||
option httplog
|
|
||||||
option dontlognull
|
|
||||||
#option logasap
|
|
||||||
option httpclose
|
|
||||||
maxconn 100
|
|
||||||
|
|
||||||
capture request header Host len 20
|
|
||||||
capture request header User-Agent len 16
|
|
||||||
capture request header Content-Length len 10
|
|
||||||
capture request header Referer len 20
|
|
||||||
capture response header Content-Length len 10
|
|
||||||
|
|
||||||
# block any unwanted source IP addresses or networks
|
|
||||||
acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
|
|
||||||
acl forbidden_src src_port 0:1023
|
|
||||||
block if forbidden_src
|
|
||||||
|
|
||||||
# block requests beginning with http:// on wrong domains
|
|
||||||
acl dangerous_pfx url_beg -i http://
|
|
||||||
acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
|
|
||||||
block if dangerous_pfx !valid_pfx
|
|
||||||
|
|
||||||
# block apache chunk exploit, ...
|
|
||||||
acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
|
|
||||||
acl forbidden_hdrs hdr_beg(host) -i apache- localhost
|
|
||||||
|
|
||||||
# ... some HTTP content smugling and other various things
|
|
||||||
acl forbidden_hdrs hdr_cnt(host) gt 1
|
|
||||||
acl forbidden_hdrs hdr_cnt(content-length) gt 1
|
|
||||||
acl forbidden_hdrs hdr_val(content-length) lt 0
|
|
||||||
acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
|
|
||||||
block if forbidden_hdrs
|
|
||||||
|
|
||||||
# block annoying worms that fill the logs...
|
|
||||||
acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
|
|
||||||
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
|
|
||||||
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
|
|
||||||
|
|
||||||
# block other common attacks (awstats, manual discovery...)
|
|
||||||
acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
|
|
||||||
acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
|
|
||||||
block if forbidden_uris
|
|
||||||
|
|
||||||
# we rewrite the "options" request so that it only tries '*', and we
|
|
||||||
# only report GET, HEAD, POST and OPTIONS as valid methods
|
|
||||||
reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
|
|
||||||
rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
|
|
||||||
|
|
||||||
acl host_demo hdr_beg(host) -i demo.
|
|
||||||
acl host_www2 hdr_beg(host) -i www2.
|
|
||||||
|
|
||||||
use_backend demo if host_demo
|
|
||||||
use_backend www2 if host_www2
|
|
||||||
default_backend www
|
|
||||||
|
|
||||||
backend www
|
|
||||||
mode http
|
|
||||||
source 192.168.21.2:0
|
|
||||||
balance roundrobin
|
|
||||||
cookie SERVERID
|
|
||||||
server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
|
|
||||||
server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
|
|
||||||
|
|
||||||
# long timeout to support connection queueing
|
|
||||||
contimeout 20000
|
|
||||||
srvtimeout 20000
|
|
||||||
fullconn 100
|
|
||||||
redispatch
|
|
||||||
retries 3
|
|
||||||
|
|
||||||
option httpchk HEAD /
|
|
||||||
option forwardfor
|
|
||||||
option checkcache
|
|
||||||
option httpclose
|
|
||||||
|
|
||||||
# allow other syntactically valid requests, and block any other method
|
|
||||||
acl valid_method method GET HEAD POST OPTIONS
|
|
||||||
block if !valid_method
|
|
||||||
block if HTTP_URL_STAR !METH_OPTIONS
|
|
||||||
block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
|
|
||||||
|
|
||||||
# remove unnecessary precisions on the server version. Let's say
|
|
||||||
# it's an apache under Unix on the Formilux Distro.
|
|
||||||
rspidel ^Server:\
|
|
||||||
rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
|
|
||||||
|
|
||||||
defaults non_standard_bck
|
|
||||||
mode http
|
|
||||||
source 192.168.21.2:0
|
|
||||||
option forwardfor
|
|
||||||
option httpclose
|
|
||||||
balance roundrobin
|
|
||||||
fullconn 100
|
|
||||||
contimeout 20000
|
|
||||||
srvtimeout 20000
|
|
||||||
retries 2
|
|
||||||
|
|
||||||
backend www2
|
|
||||||
server www2 192.168.22.2:80 maxconn 10
|
|
||||||
|
|
||||||
# end of defaults
|
|
||||||
defaults none
|
|
||||||
|
|
||||||
backend demo
|
|
||||||
mode http
|
|
||||||
balance roundrobin
|
|
||||||
stats enable
|
|
||||||
stats uri /
|
|
||||||
stats scope http-in
|
|
||||||
stats scope www
|
|
||||||
stats scope demo
|
|
||||||
Loading…
Reference in New Issue