Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
17 Commits 2 Branches 1 Tag
55ad0713bba6af888d36aab729290b47ec0de634
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Eugene Prodan 55ad0713bb docs: add license file
2021-06-11 22:41:11 +03:00
docs
docs: added interaction diagram
2021-06-11 22:11:10 +03:00
haproxy
feat: added CLI to manage ddos protection system
2021-06-11 22:14:43 +03:00
src
lint: make ddos-cli shellcheck-compliant
2021-06-11 22:36:15 +03:00
docker-compose.yml
refactor: remove ratelimiting functionality,
2021-06-10 23:08:45 +03:00
LICENSE.md
docs: add license file
2021-06-11 22:41:11 +03:00
README.MD
docs: add to-do list
2021-06-11 22:25:19 +03:00

README.MD

HaProxy DDoS protection system PoC

The system provides functionality to protect certain (or all) resources on HaProxy from L7 DDoS attacks.

It works by requiring a user to have a specific cookie issued after successful captcha completion. If a user does not have the cookie, he gets redirected to a special captcha page.

It is by no means a cure for all ills, but should help you mitigate a moderate DDoS attack without disrupting the service.

How it works

alternative text

How to test

  • export hcaptcha sitekey and secret:
export HCAPTCHA_SITEKEY=xxxXXxxx
export HCAPTCHA_SECRET=xxxXXxxx

They can be obtained after creating a free account on https://www.hcaptcha.com/

  • run docker compose:
docker compose up

For demostration purposes DDoS-protection mode was enabled by default.

CLI

The system comes with CLI. It can be used to manage global and per-domain protection:

Usage: ./ddos-cli <command> [options]

Command line interface to manage per-domain and global DDoS protection.

optional arguments:
  -h, --help                         Show this help message and exit.

Commands:
  Global management:
  ./ddos-cli global status           Show status of global server ddos mode.
  ./ddos-cli global enable           Enable global ddos mode.
  ./ddos-cli global disable          Disable global ddos mode.

  Domain management:
  ./ddos-cli domain list             List all domains with ddos mode on.
  ./ddos-cli domain status <domain>  Get ddos mode status for a domain.
  ./ddos-cli domain add <domain>     Enable ddos mode for a domain.
  ./ddos-cli domain del <domain>     Disable ddos mode for a domain.

TO DO

  • Add CLI
  • Add logging to CLI
  • Make per-user cookie secrets
  • Organize lua dependencies
Description
HAProxy configuration and lua scripts implementing a challenge-response page where visitors solve a captcha and/or proof-of-work (cpu intensive) task. Intended to stop bots, spam, ddos, etc.
botchallenge-responseddoshaproxyhcaptchamitigationproof of workspam
Readme 938 KiB
Languages
Lua 94.3%
JavaScript 4.1%
Dockerfile 1.1%
HTML 0.4%
Shell 0.1%