Cavemanon/haproxy-protection
8
Fork 0
mirror of https://gitgud.io/fatchan/haproxy-protection.git synced 2025-05-09 02:05:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c03a16214bed12af1d3c343a5a771c032d0a7ed8
haproxy-protection/haproxy/haproxy.tor.cfg
Thomas Lynch bec6bddf40 close #4
2021-11-26 00:27:47 +11:00

62 lines
2.3 KiB
INI
Raw Blame History

global
daemon
maxconn 256
log stdout format raw local0 notice
lua-load /etc/haproxy/scripts/register.lua
stats socket /var/run/haproxy.sock mode 666 level admin
defaults
log global
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend tor-proxy
#this can be a unix socket to tor, too but not between separate docker containers
bind *:80 accept-proxy
mode tcp
default_backend strip-tor-proxy
backend strip-tor-proxy
mode tcp
server forward unix@/var/run/haproxy-haproxy.sock check send-proxy
frontend http-in
bind unix@/var/run/haproxy-haproxy.sock accept-proxy
#forwardfor sets the circuit identifier sent by tor daemon in haproxy PROXY protocol header as the x-forwarded-for header
option forwardfor
acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
acl ddos_mode_enabled hdr(host) -i -f /etc/haproxy/ddos.map
# you can repeat this acl (which ORs them) to add more conditions where ddos_mode_enabled
# check captcha cookie
acl captcha_passed var(txn.captcha_passed) -m bool
acl captcha_passed hdr(host),map_str(/etc/haproxy/no_captcha.map) -m found
# check proof of work cookie
acl pow_passed var(txn.pow_passed) -m bool
# exclude favicon, and serve script files directly in haproxy
acl on_captcha_url path -m beg /bot-check
acl is_favicon path /favicon.ico
acl is_sha1_js path /js/sha1.js
acl is_worker_js path /js/worker.js
http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
# check pow/captcha and show page if necessary
http-request use-service lua.hcaptcha-view if on_captcha_url !is_favicon
http-request lua.hcaptcha-check if !is_favicon !on_captcha_url ddos_mode_enabled
http-request lua.pow-check if !is_favicon !on_captcha_url ddos_mode_enabled
http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled !is_favicon OR !pow_passed !on_captcha_url ddos_mode_enabled !is_favicon
default_backend servers
backend servers
server server1 nginx:80
backend hcaptcha
server hcaptcha hcaptcha.com:443
Reference in New Issue View Git Blame Copy Permalink