haproxy-protection/haproxy/haproxy.cfg

global
	daemon
	maxconn 256
	log stdout  format raw  local0  debug
	lua-load /etc/haproxy/scripts/register.lua
	stats socket /var/run/haproxy.sock mode 666 level admin

defaults
	mode http
	timeout connect 5000ms
	timeout client 50000ms
	timeout server 50000ms

frontend http-in
	bind *:80

	acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
	acl ddos_mode_enabled hdr(host) -i -f /etc/haproxy/ddos.map
	# you can repeat this acl (which ORs them) to add more conditions where ddos_mode_enabled

	# check captcha cookie
	acl captcha_passed var(txn.captcha_passed) -m bool
	acl captcha_passed hdr(host),map_str(/etc/haproxy/no_captcha.map) -m found
	# check proof of work cookie
	acl pow_passed var(txn.pow_passed) -m bool

	# exclude favicon, and serve script files directly in haproxy
	acl on_captcha_url path -m beg /bot-check
	acl is_favicon path /favicon.ico
	acl is_sha1_js path /js/sha1.js
	acl is_worker_js path /js/worker.js
	http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js

	# check pow/captcha and show page if necessary
	http-request use-service lua.hcaptcha-view	if on_captcha_url !is_favicon
	http-request lua.hcaptcha-check          if !is_favicon !on_captcha_url ddos_mode_enabled
	http-request lua.pow-check          if !is_favicon !on_captcha_url ddos_mode_enabled
	http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled !is_favicon OR !pow_passed !on_captcha_url ddos_mode_enabled !is_favicon

	default_backend servers

backend servers
	server server1 nginx:80 maxconn 32

backend hcaptcha
	mode http
	server hcaptcha hcaptcha.com:443