# This configuration is an example of how to use connection tarpitting based # on invalid requests. global daemon log 127.0.0.1 local0 listen frontend 0.0.0.0:80 mode http option httplog log global maxconn 10000 # do not log requests with no data option dontlognull # log as soon as the server starts to respond, an do not wait for the # end of the data transfer. option logasap # disable keep-alive option httpclose # load balancing mode set to round-robin balance roundrobin # the maxconn 150 below means 150 connections maximum will be used # on apache, the remaining ones will be queued. server apache1 127.0.0.1:80 maxconn 150 # use short timeouts for client and server clitimeout 20000 srvtimeout 20000 # the connect timeout should be large because it will also be used # to define the queue timeout and the tarpit timeout. It generally # is a good idea to set it to the same value as both above, and it # will improve performance when dealing with thousands of connections. contimeout 20000 # retry only once when a valid connection fails because the server # is overloaded. retries 1 # You might want to enable this option if the attacks start # targetting valid URLs. # option abortonclose # not needed anymore. #capture request header X-Forwarded-For len 15 # and add a new 'X-Forwarded-For: IP' option forwardfor # how to access the status reporting web interface stats uri /stat stats auth stat:stat # Request header and URI processing begins here. # rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:' reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2 #### Now check the URI for requests we want to tarpit ### # We do not analyze headers, we just focus on the request reqpass ^[^:\ ]*: # Tarpit those URIs for any method reqtarpit ^[^:\ ]*\ /invalid_req1 reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\? reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp)