mirror of
https://gitgud.io/fatchan/haproxy-protection.git
synced 2025-05-09 02:05:37 +00:00
239 lines
10 KiB
INI
239 lines
10 KiB
INI
global
|
|
lua-load /etc/haproxy/scripts/register.lua
|
|
log /dev/log local0
|
|
log /dev/log local1 notice
|
|
chroot /var/lib/haproxy
|
|
user haproxy
|
|
group haproxy
|
|
daemon
|
|
maxconn 10000
|
|
|
|
#for haproxy panel
|
|
stats socket 127.0.0.1:1999 level operator
|
|
|
|
stats socket /var/run/haproxy.sock mode 660 level admin expose-fd listeners
|
|
stats timeout 30s
|
|
|
|
# Default SSL material locations
|
|
ca-base /etc/ssl/certs
|
|
crt-base /etc/ssl/private
|
|
|
|
# Default ciphers to use on SSL-enabled listening sockets.
|
|
# For more information, see ciphers(1SSL). This list is from:
|
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl-default-bind-options ssl-min-ver TLSv1.2 prefer-client-ciphers
|
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM
|
|
ssl-default-server-options ssl-min-ver TLSv1.2
|
|
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
|
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM
|
|
|
|
tune.ssl.default-dh-param 2048
|
|
|
|
defaults
|
|
option logasap
|
|
log global
|
|
mode http
|
|
option httplog
|
|
# option dontlognull
|
|
#timeout slow connection
|
|
timeout connect 5000
|
|
#timeout slow request headers
|
|
timeout http-request 5000
|
|
#timeout very very slow clients
|
|
timeout client 90000
|
|
#timeout if server dead
|
|
timeout server 10000
|
|
#timeout websockets after long time, not 0 just in case. it wil reconnect anyway.
|
|
timeout tunnel 900000
|
|
#timeout for tarpitting bots
|
|
timeout tarpit 10000
|
|
errorfile 429 /etc/haproxy/errors/429.http
|
|
errorfile 400 /etc/haproxy/errors/400.http
|
|
errorfile 403 /etc/haproxy/errors/403.http
|
|
errorfile 408 /etc/haproxy/errors/408.http
|
|
errorfile 500 /etc/haproxy/errors/500.http
|
|
errorfile 502 /etc/haproxy/errors/502.http
|
|
errorfile 503 /etc/haproxy/errors/503.http
|
|
errorfile 504 /etc/haproxy/errors/504.http
|
|
option forwardfor
|
|
option http-keep-alive
|
|
|
|
##### Better log format
|
|
log-format "%ci %s %ST %{+Q}r %B %ts CONC:[%ac/%fc/%bc/%sc] QUEUE:[%sq/%bq]"
|
|
|
|
# necessary to firewall, white_list acl in development
|
|
frontend stats-frontend
|
|
bind *:2000
|
|
option tcplog
|
|
mode tcp
|
|
acl white_list src xxx.xxx.xxx.xxx
|
|
tcp-request connection reject unless white_list
|
|
default_backend stats-backend
|
|
|
|
backend stats-backend
|
|
mode tcp
|
|
server stats-localhost 127.0.0.1:1999
|
|
|
|
backend per_ip_rates
|
|
stick-table type ip size 100k expire 1h store gpc0,gpc0_rate(30s),http_err_rate(5m)
|
|
|
|
frontend www-http-https
|
|
|
|
# Bind and multiple certs in folder
|
|
bind :::80
|
|
bind :::443 ssl crt /etc/haproxy/certs alpn h2,http/1.1
|
|
|
|
# HTTPS redirect
|
|
http-request redirect scheme https if !{ ssl_fc }
|
|
|
|
# Tarpit when too many errors
|
|
http-request tarpit deny_status 429 if { sc_http_err_rate(0) gt 5 }
|
|
|
|
# kikeflare ACL for separate backend
|
|
acl is_kikeflare hdr(host) -i kikeflare.com www.kikeflare.com
|
|
|
|
# drop requests with invalid host header
|
|
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
|
|
http-request silent-drop unless is_existing_vhost
|
|
|
|
# acl for blocked IPs/subnets
|
|
acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
|
|
http-request deny deny_status 403 if blocked_ip_or_subnet
|
|
|
|
# acl for lua check whitelisted IPs/subnets and some excluded paths
|
|
acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found
|
|
acl is_excluded path_end -i .css .js .png .jpg .ico .jpeg .gif .mp4 .webm .bmp .mov .svg .mp3 .ogg .wav .opus .apng .webp .pjpeg .jfif .txt .sid .pdf .webmanifest .xml .flac .m4a .aac
|
|
acl is_excluded path /favicon.ico /webring.json #add more
|
|
|
|
# acl ORs for when ddos_mode_enabled
|
|
acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0
|
|
acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/ddos.map) -m bool
|
|
acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool
|
|
|
|
# serve challenge page scripts directly from haproxy
|
|
acl is_sha1_js path /js/sha1.js
|
|
acl is_worker_js path /js/worker.js
|
|
acl is_footerlogo_png path /img/footerlogo.png
|
|
http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
|
|
http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
|
|
http-request return file /var/www/img/footerlogo.png status 200 content-type "image/png" hdr "cache-control" "public, max-age=300" if is_footerlogo_png
|
|
|
|
# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
|
|
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/maintenance.map) -m found
|
|
http-request return file /var/www/html/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode
|
|
|
|
# create acl for bools updated by lua
|
|
acl captcha_passed var(txn.captcha_passed) -m bool
|
|
acl pow_passed var(txn.pow_passed) -m bool
|
|
acl validate_captcha var(txn.validate_captcha) -m bool
|
|
acl validate_pow var(txn.validate_pow) -m bool
|
|
|
|
# check pow/captcha and show page if necessary
|
|
acl on_captcha_url path /bot-check
|
|
http-request use-service lua.hcaptcha-view if on_captcha_url !is_excluded
|
|
http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
|
|
# global override enabled pow-check only, uncomment the OR to also do hcaptcha-check
|
|
http-request lua.hcaptcha-check if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
|
|
http-request lua.pow-check if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
|
|
http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded
|
|
|
|
# redirect handle trailing slash and index.html
|
|
acl dont-redirect path_reg ^\/(captcha|randombanner|forms|logout|socket\.io)(\/|$)
|
|
acl needs-trailing-slash path_reg ^([^.\?]*[^/])$
|
|
acl has-trailing-slash path_end /
|
|
http-request redirect scheme https append-slash if !dont-redirect needs-trailing-slash !is_kikeflare
|
|
http-request redirect location https://%[req.hdr(host)]%[path]index.html%[query] if !dont-redirect has-trailing-slash !is_kikeflare
|
|
|
|
# remove www.
|
|
http-request redirect location https://%[req.hdr(host),regsub(^www.,)]%[capture.req.uri] if { hdr_beg(host) -i www }
|
|
|
|
# X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
|
|
http-response set-header X-Cache-Status HIT if !{ srv_id -m found }
|
|
http-response set-header X-Cache-Status MISS if { srv_id -m found }
|
|
|
|
# Track client by url32+src (Host header + URL path + src IP), deny if rate abuse
|
|
stick-table type binary len 8 size 200k expire 10s store http_req_rate(10s)
|
|
http-request track-sc0 url32+src
|
|
acl rate_abuse sc0_http_req_rate gt 50
|
|
http-request tarpit deny_status 429 if rate_abuse
|
|
|
|
# Send LetsEncrypt requests to alternative backend that handles certs
|
|
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
|
|
use_backend letsencrypt-backend if letsencrypt-acl
|
|
|
|
# Socketio backend (doesnt try to upgrade to http2)
|
|
acl socketio path_beg /socket.io/
|
|
use_backend no-http2-backend if socketio
|
|
|
|
# Captcha backend with queue/maxconn
|
|
acl captcha path -i /captcha /captcha/
|
|
use_backend maxconn-20-backend if captcha
|
|
|
|
# Kikeflare acl separate backend
|
|
use_backend basic-cache-backend if is_kikeflare
|
|
|
|
# Otherwise, send to main backend
|
|
default_backend complex-cache-backend
|
|
|
|
cache long_cache
|
|
total-max-size 2500
|
|
max-object-size 31457280
|
|
max-age 86400
|
|
|
|
cache short_cache
|
|
total-max-size 50
|
|
max-object-size 1000000
|
|
max-age 600
|
|
|
|
cache micro_cache
|
|
total-max-size 50
|
|
max-object-size 1000000
|
|
max-age 60
|
|
|
|
backend letsencrypt-backend
|
|
server www-1 xxx.xxx.xxx.xxx:80
|
|
|
|
# a complex backend that has a few different caches, and is catered to work well specifically with jschan
|
|
backend complex-cache-backend
|
|
http-request set-var(txn.path) path
|
|
|
|
##### longer cache
|
|
acl long_cached_file var(txn.path) -i -m end .css .js .png .jpg .ico .jpeg .gif .mp4 .webm .bmp .mov .svg .mp3 .ogg .wav .opus .apng .webp .pjpeg .jfif .txt .sid .pdf .webmanifest .xml .flac .m4a .m4v .ts .aac
|
|
acl long_cached_page var(txn.path) -i -m beg /rules.html /faq.html /robots.txt
|
|
http-request cache-use long_cache if long_cached_file or long_cached_page
|
|
http-response cache-store long_cache if long_cached_file or long_cached_page
|
|
|
|
##### shorter cache
|
|
acl short_cached_page var(txn.path) -i -m beg /index.html /news.html
|
|
http-request cache-use short_cache if short_cached_page
|
|
http-response cache-store short_cache if short_cached_page
|
|
|
|
##### micro cache
|
|
acl micro_cached_page var(txn.path) -i -m beg /boards.html /catalog.html /overboard.html /boards.json
|
|
http-request cache-use micro_cache if micro_cached_page
|
|
http-response cache-store micro_cache if micro_cached_page
|
|
|
|
server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem alpn h2
|
|
|
|
# a simpler backend that caches mostly media and css/js
|
|
backend basic-cache-backend
|
|
http-request set-var(txn.path) path
|
|
|
|
##### longer cache
|
|
acl long_cached_file var(txn.path) -i -m end .css .js .png .jpg .ico .jpeg .gif .mp4 .webm .bmp .mov .svg .mp3 .ogg .wav .opus .apng .webp .pjpeg .jfif .txt .sid .pdf .webmanifest .xml .flac .m4a .m4v .ts .aac
|
|
http-request cache-use long_cache if long_cached_file
|
|
http-response cache-store long_cache if long_cached_file
|
|
|
|
server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem alpn h2
|
|
|
|
backend no-http2-backend
|
|
server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem
|
|
|
|
backend maxconn-20-backend
|
|
server www-1 xxx.xxx.xxx.xxx:443 ssl verify required ca-file /etc/ssl/certs/backend.pem maxconn 20 alpn h2
|
|
|
|
backend hcaptcha
|
|
mode http
|
|
server hcaptcha hcaptcha.com:443
|