Last active
May 8, 2024 16:24
-
-
Save haproxytechblog/906c6bc30b0fcccdd161248704a075b9 to your computer and use it in GitHub Desktop.
Application-Layer DDoS Attack Protection with HAProxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
backend per_ip_rates | |
stick-table type ip size 1m expire 10m store http_req_rate(10s) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend fe_mywebsite | |
bind *:80 | |
http-request track-sc0 src table per_ip_rates |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend fe_mywebsite | |
bind *:80 | |
http-request track-sc0 src table per_ip_rates | |
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feb 8 17:15:07 localhost hapee-lb[19738]: 192.168.1.2:49528 [08/Feb/2018:17:15:07.182] fe_main fe_main/<NOSRV> 0/-1/-1/-1/0 429 188 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request track-sc0 src table per_ip_rates if METH_POST | |
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timeout tarpit 5s | |
http-request tarpit if { sc_http_req_rate(0) gt 100 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timeout http-request 5s | |
option http-buffer-request | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if HTTP_1.0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if { req.hdr(user-agent) -i -m sub curl } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if { req.hdr(user-agent) -i -m sub curl phantomjs slimerjs } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if { req.hdr(user-agent) -i -m sub -f /etc/hapee-1.8/badagents.acl } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny unless { req.hdr(user-agent) -m found } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if { src -f /etc/hapee-1.8/blacklist.acl } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1.0.1.0/24 | |
1.0.2.0/23 | |
1.0.8.0/21 | |
1.0.32.0/19 | |
1.1.0.0/24 | |
1.1.2.0/23 | |
1.1.4.0/22 | |
# etc. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if { src -f /etc/hapee-1.8/greylist.acl } { sc_http_req_rate(0) gt 5 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dynamic-update | |
update id /etc/hapee-1.8/blacklist.acl url https://192.168.122.1/blacklist.acl delay 60s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend per_ip_connections | |
stick-table type ip size 1m expire 1m store conn_cur,conn_rate(1m) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend fe_smtp | |
mode tcp | |
bind :25 | |
option tcplog | |
timeout client 1m | |
tcp-request content track-sc0 src table per_ip_connections | |
tcp-request content reject if { sc_conn_cur(0) gt 1 } || { sc_conn_rate(0) gt 5 } | |
default_backend be_smtp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
backend be_smtp | |
mode tcp | |
timeout server 1m | |
option tcp-check #For SMTP specifically smtpchk can be used | |
server smtp1 162.216.18.221:25 maxconn 50 check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tcp-request inspect-delay 10s | |
tcp-request content accept if { sc_conn_rate(0) lt 2 } | |
tcp-request content reject if { req_len gt 0 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
use_backend be_website_bots if { sc_http_req_rate(0) gt 100 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request silent-drop if { sc_http_req_rate(0) gt 100 } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment