haproxy-protection/haproxy/haproxy.cfg

global
    daemon
    maxconn 256
    log stdout  format raw  local0  debug
    lua-load /usr/local/etc/haproxy/scripts/register.lua
    stats socket /var/run/haproxy.sock mode 666 level admin

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80

    acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
    acl domain_under_ddos hdr(host) -i -f /usr/local/etc/haproxy/domains_under_ddos.txt
    acl captcha_passed var(txn.captcha_passed) -m bool
    acl on_captcha_url path -m beg /captcha

    http-request use-service lua.hcaptcha-view  if on_captcha_url
    http-request lua.hcaptcha-redirect          if !on_captcha_url ddos_mode_enabled OR domain_under_ddos
    http-request redirect location /captcha?%[capture.req.uri] code 301 if !captcha_passed !on_captcha_url ddos_mode_enabled OR domain_under_ddos

    default_backend servers

backend servers
    server server1 nginx:80 maxconn 32