mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-19 04:00:46 +00:00
73 lines
2.1 KiB
INI
73 lines
2.1 KiB
INI
# This configuration is an example of how to use connection tarpitting based
|
|
# on invalid requests.
|
|
|
|
global
|
|
daemon
|
|
log 127.0.0.1 local0
|
|
|
|
listen frontend 0.0.0.0:80
|
|
mode http
|
|
option httplog
|
|
log global
|
|
maxconn 10000
|
|
|
|
# do not log requests with no data
|
|
option dontlognull
|
|
|
|
# log as soon as the server starts to respond, an do not wait for the
|
|
# end of the data transfer.
|
|
option logasap
|
|
|
|
# disable keep-alive
|
|
option httpclose
|
|
|
|
# load balancing mode set to round-robin
|
|
balance roundrobin
|
|
|
|
# the maxconn 150 below means 150 connections maximum will be used
|
|
# on apache, the remaining ones will be queued.
|
|
server apache1 127.0.0.1:80 maxconn 150
|
|
|
|
# use short timeouts for client and server
|
|
clitimeout 20000
|
|
srvtimeout 20000
|
|
|
|
# the connect timeout should be large because it will also be used
|
|
# to define the queue timeout and the tarpit timeout. It generally
|
|
# is a good idea to set it to the same value as both above, and it
|
|
# will improve performance when dealing with thousands of connections.
|
|
contimeout 20000
|
|
|
|
# retry only once when a valid connection fails because the server
|
|
# is overloaded.
|
|
retries 1
|
|
|
|
# You might want to enable this option if the attacks start
|
|
# targetting valid URLs.
|
|
# option abortonclose
|
|
|
|
# not needed anymore.
|
|
#capture request header X-Forwarded-For len 15
|
|
|
|
# and add a new 'X-Forwarded-For: IP'
|
|
option forwardfor
|
|
|
|
# how to access the status reporting web interface
|
|
stats uri /stat
|
|
stats auth stat:stat
|
|
|
|
# Request header and URI processing begins here.
|
|
|
|
# rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'
|
|
reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2
|
|
|
|
#### Now check the URI for requests we want to tarpit ###
|
|
# We do not analyze headers, we just focus on the request
|
|
reqpass ^[^:\ ]*:
|
|
|
|
# Tarpit those URIs for any method
|
|
reqtarpit ^[^:\ ]*\ /invalid_req1
|
|
reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\?
|
|
reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp)
|
|
|