# This configuration is an example of how to use connection tarpitting based
# on invalid requests.
global
daemon
log 127.0.0.1 local0
listen frontend 0.0.0.0:80
mode http
option httplog
log global
maxconn 10000
# do not log requests with no data
option dontlognull
# log as soon as the server starts to respond, an do not wait for the
# end of the data transfer.
option logasap
# disable keep-alive
option httpclose
# load balancing mode set to round-robin
balance roundrobin
# the maxconn 150 below means 150 connections maximum will be used
# on apache, the remaining ones will be queued.
server apache1 127.0.0.1:80 maxconn 150
# use short timeouts for client and server
clitimeout 20000
srvtimeout 20000
# the connect timeout should be large because it will also be used
# to define the queue timeout and the tarpit timeout. It generally
# is a good idea to set it to the same value as both above, and it
# will improve performance when dealing with thousands of connections.
contimeout 20000
# retry only once when a valid connection fails because the server
# is overloaded.
retries 1
# You might want to enable this option if the attacks start
# targetting valid URLs.
# option abortonclose
# not needed anymore.
#capture request header X-Forwarded-For len 15
# and add a new 'X-Forwarded-For: IP'
option forwardfor
# how to access the status reporting web interface
stats uri /stat
stats auth stat:stat
# Request header and URI processing begins here.
# rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'
reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2
#### Now check the URI for requests we want to tarpit ###
# We do not analyze headers, we just focus on the request
reqpass ^[^:\ ]*:
# Tarpit those URIs for any method
reqtarpit ^[^:\ ]*\ /invalid_req1
reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\?
reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp)