Cavemanon/haproxy-protection
9
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update haproxy config, scripts & docker-compose to use simpler mroe organised files layout

Browse Source 
Make cookies sent from captcha/pow response be httponly
This commit is contained in:
Thomas Lynch
2023-02-11 21:39:38 +11:00
parent 9f4c8e8fbb
commit 9531049aa9
3 changed files with 17 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
haproxy/haproxy.cfg
View File

@@ -40,14 +40,14 @@ frontend http-in
#option forwardfor
# drop requests with invalid host header
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
http-request silent-drop unless is_existing_vhost
# debug information at /.basedflare/cgi/trace
http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/trace.txt if { path /.basedflare/cgi/trace }
http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
# acl for blocked IPs/subnets
acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/map/blocked.map) -m found
http-request deny deny_status 403 if blocked_ip_or_subnet
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
@@ -56,13 +56,13 @@ frontend http-in
http-request tarpit if { sc_http_req_rate(0) gt 1 }
# acl for lua check whitelisted IPs/subnets and some excluded paths
acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found
acl is_excluded src,map_ip(/etc/haproxy/map/whitelist.map) -m found
acl is_excluded path /favicon.ico #add more
# acl ORs for when ddos_mode_enabled
acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0
acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/ddos.map) -m bool
acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool
acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m bool
acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool
# serve challenge page scripts directly from haproxy
http-request return file /etc/haproxy/js/argon2.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /.basedflare/js/argon2.js }
@@ -70,8 +70,8 @@ frontend http-in
http-request return file /etc/haproxy/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if { path /.basedflare/js/worker.js }
# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/maintenance.map) -m found
http-request return lf-file /etc/haproxy/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode
# create acl for bools updated by lua
acl captcha_passed var(txn.captcha_passed) -m bool
@@ -111,7 +111,7 @@ backend servers
# placeholder servers, activated by LUA or the control panel
server-template websrv 1-100 0.0.0.0:80 check disabled
# use server based on hostname
use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE
use-server %[req.hdr(host),lower,map(/etc/haproxy/map/backends.map)] if TRUE
backend bot_check_post_throttle
stick-table type ipv6 size 100k expire 60s store http_req_rate(60s)