Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9557c06aa156c011488cbbb585b399b5797ccce3
haproxy-protection/haproxy/haproxy.cfg

64 lines
2.8 KiB
INI
Raw Blame History

global
daemon
maxconn 256
log stdout format raw local0 debug
lua-load /etc/haproxy/scripts/register.lua
stats socket /var/run/haproxy.sock mode 666 level admin
stats socket *:2000 level admin
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
option httplog
bind *:80
bind *:443
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
http-request silent-drop unless is_existing_vhost
# acl for blocked IPs/subnets
acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
http-request deny deny_status 403 if blocked_ip_or_subnet
# acl ORs for when ddos_mode_enabled
acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0 # note: global only enables POW not captcha atm until
acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/ddos.map) -m bool
acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool
# create acl for bools updated by lua
acl captcha_passed var(txn.captcha_passed) -m bool
acl pow_passed var(txn.pow_passed) -m bool
acl validate_captcha var(txn.validate_captcha) -m bool
acl validate_pow var(txn.validate_pow) -m bool
# define excluded paths, and serve script files directly in haproxy
acl is_excluded path /favicon.ico
acl is_sha1_js path /js/sha1.js
acl is_worker_js path /js/worker.js
http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
# check pow/captcha and show page if necessary
acl on_captcha_url path /bot-check
http-request use-service lua.hcaptcha-view if on_captcha_url !is_excluded
http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded
default_backend servers
backend servers
mode http
server-template websrv 1-100 0.0.0.0:80 check disabled
use-server %[req.hdr(host),lower,map(/etc/haproxy/backends.map)] if TRUE
#server default 127.0.0.1:80
backend hcaptcha
mode http
server hcaptcha hcaptcha.com:443
Reference in New Issue View Git Blame Copy Permalink