131 lines
3.7 KiB
INI
131 lines
3.7 KiB
INI
# This sample configuration makes extensive use of the ACLs. It requires
|
|
# HAProxy version 1.3.12 minimum.
|
|
|
|
global
|
|
log loghost local0
|
|
log localhost local0 err
|
|
maxconn 250
|
|
uid 71
|
|
gid 71
|
|
chroot /var/empty
|
|
pidfile /var/run/haproxy.pid
|
|
daemon
|
|
quiet
|
|
|
|
frontend http-in
|
|
bind :80
|
|
mode http
|
|
log global
|
|
clitimeout 30000
|
|
option httplog
|
|
option dontlognull
|
|
#option logasap
|
|
option httpclose
|
|
maxconn 100
|
|
|
|
capture request header Host len 20
|
|
capture request header User-Agent len 16
|
|
capture request header Content-Length len 10
|
|
capture request header Referer len 20
|
|
capture response header Content-Length len 10
|
|
|
|
# block any unwanted source IP addresses or networks
|
|
acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
|
|
acl forbidden_src src_port 0:1023
|
|
block if forbidden_src
|
|
|
|
# block requests beginning with http:// on wrong domains
|
|
acl dangerous_pfx url_beg -i http://
|
|
acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
|
|
block if dangerous_pfx !valid_pfx
|
|
|
|
# block apache chunk exploit, ...
|
|
acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
|
|
acl forbidden_hdrs hdr_beg(host) -i apache- localhost
|
|
|
|
# ... some HTTP content smugling and other various things
|
|
acl forbidden_hdrs hdr_cnt(host) gt 1
|
|
acl forbidden_hdrs hdr_cnt(content-length) gt 1
|
|
acl forbidden_hdrs hdr_val(content-length) lt 0
|
|
acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
|
|
block if forbidden_hdrs
|
|
|
|
# block annoying worms that fill the logs...
|
|
acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
|
|
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
|
|
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
|
|
|
|
# block other common attacks (awstats, manual discovery...)
|
|
acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
|
|
acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
|
|
block if forbidden_uris
|
|
|
|
# we rewrite the "options" request so that it only tries '*', and we
|
|
# only report GET, HEAD, POST and OPTIONS as valid methods
|
|
reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
|
|
rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
|
|
|
|
acl host_demo hdr_beg(host) -i demo.
|
|
acl host_www2 hdr_beg(host) -i www2.
|
|
|
|
use_backend demo if host_demo
|
|
use_backend www2 if host_www2
|
|
default_backend www
|
|
|
|
backend www
|
|
mode http
|
|
source 192.168.21.2:0
|
|
balance roundrobin
|
|
cookie SERVERID
|
|
server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
|
|
server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
|
|
|
|
# long timeout to support connection queueing
|
|
contimeout 20000
|
|
srvtimeout 20000
|
|
fullconn 100
|
|
redispatch
|
|
retries 3
|
|
|
|
option httpchk HEAD /
|
|
option forwardfor
|
|
option checkcache
|
|
option httpclose
|
|
|
|
# allow other syntactically valid requests, and block any other method
|
|
acl valid_method method GET HEAD POST OPTIONS
|
|
block if !valid_method
|
|
block if HTTP_URL_STAR !METH_OPTIONS
|
|
block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
|
|
|
|
# remove unnecessary precisions on the server version. Let's say
|
|
# it's an apache under Unix on the Formilux Distro.
|
|
rspidel ^Server:\
|
|
rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
|
|
|
|
defaults non_standard_bck
|
|
mode http
|
|
source 192.168.21.2:0
|
|
option forwardfor
|
|
option httpclose
|
|
balance roundrobin
|
|
fullconn 100
|
|
contimeout 20000
|
|
srvtimeout 20000
|
|
retries 2
|
|
|
|
backend www2
|
|
server www2 192.168.22.2:80 maxconn 10
|
|
|
|
# end of defaults
|
|
defaults none
|
|
|
|
backend demo
|
|
mode http
|
|
balance roundrobin
|
|
stats enable
|
|
stats uri /
|
|
stats scope http-in
|
|
stats scope www
|
|
stats scope demo
|