Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

change haproxy pathing from /usr/share/etc to /etc

Browse Source
This commit is contained in:
Thomas Lynch
2021-11-25 18:16:07 +11:00
parent 0a6b21f93b
commit 48382434c4
7 changed files with 16 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.MD
View File

@ -38,9 +38,9 @@ Before installing the tool, ensure that HaProxy is built with Lua support.
- Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua) - Copy haproxy config and make sure that `lua-load` directive contains absolute path to [register.lua](src/scripts/register.lua)
- Copy [libs](src/libs) to a path where Lua looks for modules. - Copy [libs](src/libs) to a path where Lua looks for modules.
- Copy [ddos-cli](src/cli/ddos-cli) to any convenient path. - Copy [ddos-cli](src/cli/ddos-cli) to any convenient path.
- Create `/usr/local/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly) - Create `/etc/haproxy/domains_under_ddos.txt` with write permissions for HaProxy (feel free to change the map file path, update the HaProxy config correspondingly)
#### CLI (not maintained) #### CLI
The system comes with CLI. It can be used to manage global and per-domain protection. The system comes with CLI. It can be used to manage global and per-domain protection.
Ensure that stat socket is configured in HaProxy for CLI support. Ensure that stat socket is configured in HaProxy for CLI support.
```bash ```bash

6
docker-compose.yml
View File

@ -7,9 +7,9 @@ services:
ports: ports:
- 80:80 - 80:80
volumes: volumes:
- ./haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
- ./src/scripts/:/usr/local/etc/haproxy/scripts/ - ./src/scripts/:/etc/haproxy/scripts/
- ./src/libs/:/usr/local/etc/haproxy/libs/ - ./src/libs/:/etc/haproxy/libs/
environment: environment:
- HCAPTCHA_SECRET= - HCAPTCHA_SECRET=
- HCAPTCHA_SITEKEY= - HCAPTCHA_SITEKEY=

6
haproxy/Dockerfile
View File

@ -68,8 +68,8 @@ RUN set -eux; \
eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \ eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts"; \
eval "make -C /usr/src/haproxy install-bin $makeOpts"; \ eval "make -C /usr/src/haproxy install-bin $makeOpts"; \
\ \
mkdir -p /usr/local/etc/haproxy; \ mkdir -p /etc/haproxy; \
cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors; \ cp -R /usr/src/haproxy/examples/errorfiles /etc/haproxy/errors; \
rm -rf /usr/src/haproxy; \ rm -rf /usr/src/haproxy; \
\ \
apt-mark auto '.*' > /dev/null; \ apt-mark auto '.*' > /dev/null; \
@ -102,4 +102,4 @@ RUN apt-get update && apt-get install socat dnsutils -y
ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
# no USER for backwards compatibility (to try to avoid breaking existing users) # no USER for backwards compatibility (to try to avoid breaking existing users)
CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"] CMD ["haproxy", "-f", "/etc/haproxy/haproxy.cfg"]

6
haproxy/haproxy.cfg
View File

@ -2,7 +2,7 @@ global
daemon daemon
maxconn 256 maxconn 256
log stdout format raw local0 debug log stdout format raw local0 debug
lua-load /usr/local/etc/haproxy/scripts/register.lua lua-load /etc/haproxy/scripts/register.lua
stats socket /var/run/haproxy.sock mode 666 level admin stats socket /var/run/haproxy.sock mode 666 level admin
defaults defaults
@ -16,12 +16,12 @@ frontend http-in
# acl for ddos_mode_enabled = global enabled OR domain enabled # acl for ddos_mode_enabled = global enabled OR domain enabled
acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0 acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
acl ddos_mode_enabled hdr(host) -i -f /usr/local/etc/haproxy/ddos.map acl ddos_mode_enabled hdr(host) -i -f /etc/haproxy/ddos.map
#TODO: add ORs here for auto enable on traffic pattern #TODO: add ORs here for auto enable on traffic pattern
# check captcha cookie, separate map allows to disable captcha (still keeping POW) # check captcha cookie, separate map allows to disable captcha (still keeping POW)
acl captcha_passed var(txn.captcha_passed) -m bool acl captcha_passed var(txn.captcha_passed) -m bool
acl captcha_passed hdr(host),map_str(/usr/local/etc/haproxy/no_captcha.map) -m found acl captcha_passed hdr(host),map_str(/etc/haproxy/no_captcha.map) -m found
# check proof of work cookie # check proof of work cookie
acl pow_passed var(txn.pow_passed) -m bool acl pow_passed var(txn.pow_passed) -m bool

4
src/cli/ddos-cli
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
HAPROXY_DDOS_DOMAINS_FILE="/usr/local/etc/haproxy/ddos.map" HAPROXY_DDOS_DOMAINS_FILE="/etc/haproxy/ddos.map"
HAPROXY_NOCAPTCHA_DOMAINS_FILE="/usr/local/etc/haproxy/no_captcha.map" HAPROXY_NOCAPTCHA_DOMAINS_FILE="/etc/haproxy/no_captcha.map"
HAPROXY_GLOBAL_ACL="hdr_cnt" HAPROXY_GLOBAL_ACL="hdr_cnt"
HAPROXY_SOCKET="/var/run/haproxy.sock" HAPROXY_SOCKET="/var/run/haproxy.sock"
SOCAT="$(which socat)" SOCAT="$(which socat)"

3
src/scripts/hcaptcha.lua
View File

@ -14,7 +14,7 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
local captcha_provider_domain = "hcaptcha.com" local captcha_provider_domain = "hcaptcha.com"
local captcha_map = Map.new("/usr/local/etc/haproxy/no_captcha.map", Map._dom); local captcha_map = Map.new("/etc/haproxy/no_captcha.map", Map._dom);
-- main page template -- main page template
local body_template = [[ local body_template = [[
@ -152,6 +152,7 @@ function _M.check_pow_status(txn)
local iterations = parsed_request_cookies["z_ddos_pow"] local iterations = parsed_request_cookies["z_ddos_pow"]
local completed_work = sha.sha1(generated_work .. iterations) local completed_work = sha.sha1(generated_work .. iterations)
local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2 local challenge_offset = tonumber(generated_work:sub(1,1),16) * 2
--core.Debug(completed_work:sub(challenge_offset+1, challenge_offset+4))
if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^) if completed_work:sub(challenge_offset+1, challenge_offset+4) == 'b00b' then -- i dont know lua properly :^)
return txn:set_var("txn.pow_passed", true) return txn:set_var("txn.pow_passed", true)
end end

2
src/scripts/register.lua
View File

@ -1,4 +1,4 @@
package.path = package.path .. "./?.lua;/usr/local/etc/haproxy/scripts/?.lua;/usr/local/etc/haproxy/libs/?.lua" package.path = package.path .. "./?.lua;/etc/haproxy/scripts/?.lua;/etc/haproxy/libs/?.lua"
local hcaptcha = require("hcaptcha") local hcaptcha = require("hcaptcha")