-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhaproxy.cfg
81 lines (61 loc) · 3.1 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
global
log stdout format raw local0
lua-prepend-path /etc/haproxy/lua/lib/?.lua
lua-load /etc/haproxy/lua/dnsbl.lua
defaults
log global
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
backend st_known_visitors
# Store the IP address of the client after DNSBL lookup
#
# gpc0 > 0 means the IP address is not blacklisted
# gpc1 > 0 means the IP address is blacklisted
#
# Information is stored for 30 minutes
stick-table type ipv6 size 2m expire 30m store gpc0,gpc1
# Tor repeat-offender protection - 24d ban (int32 limit that's about 24d)
backend st_user_ban # Do not modify if you don't know what you do
stick-table type ipv6 size 1m expire 24d store gpc0
frontend http-in
bind *:80
acl contains_x_forwarded_for hdr_cnt(X-Forwarded-For) gt 0
# Options
option httplog
option http-server-close
option dontlognull
log-format "%ci:%cp [%t] %ft %b/%s %Tq/%Tw/%Tc/%Tr/%Tt %ST %U/%B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
tcp-request inspect-delay 5s
# Set the X-Forwarded-For header if not already set
http-request set-header X-Forwarded-For %[src] if !contains_x_forwarded_for
# Track the IP address of the client
http-request track-sc0 hdr_ip(X-Forwarded-For) table st_known_visitors
http-request track-sc1 hdr_ip(X-Forwarded-For) table st_user_ban
acl is_permitted_ip sc0_get_gpc0(st_known_visitors) gt 0
acl is_banned_ip sc0_get_gpc1(st_known_visitors) gt 0
acl is_banned_user sc1_get_gpc0(st_user_ban) gt 0
# Do a DNSBL lookup query
# lua.dnsbl_query <table> <dnsbl_domain> <client_ip_var> <client_ip_header_name>
# <table> is the name of the stick-table that will keep track of visitors
# <dnsbl_domain> is the DNSBL domain to use
# <client_ip_var> is the name of the variable that contains the client IP address (optional if set to nil)
# <client_ip_header_name> is the name of the header that contains the client IP address (optional if set to nil)
#
# The DNSBL lookup query will be performed only if the client IP address is not already
# in the stick-table. If the client IP address is already in the stick-table, the DNSBL
# lookup query will return cached data from the stick-table <table>.
# <client_ip_var> and <client_ip_header_name> can be set to nil. In this case the DNSBL
# lookup query will use the src() address of the client.
http-request lua.dnsbl_query "st_known_visitors" "torexit.dan.me.uk" nil "X-Forwarded-For"
http-request sc-inc-gpc0(1) if is_banned_ip !is_banned_user
http-request lua.dnsbl_block "st_user_ban"
acl client_ip_allowed var(txn.dnsbl_is_allowed) eq 1
http-request capture var(txn.dnsbl_is_allowed) len 5
http-request capture hdr(X-DNSBL-Action) len 20
http-request deny deny_status 401 hdr Denial-Reason "Your request has been blocked by DNSBL" if !client_ip_allowed
default_backend web_servers
backend web_servers
http-request set-header CF-Connecting-IP %[hdr(CF-Connecting-IP)] if { hdr(CF-Connecting-IP) -m found }
server web1 http-echo:5678