Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active May 8, 2024 16:24
Show Gist options
  • Save haproxytechblog/906c6bc30b0fcccdd161248704a075b9 to your computer and use it in GitHub Desktop.
Save haproxytechblog/906c6bc30b0fcccdd161248704a075b9 to your computer and use it in GitHub Desktop.
Application-Layer DDoS Attack Protection with HAProxy
backend per_ip_rates
stick-table type ip size 1m expire 10m store http_req_rate(10s)
frontend fe_mywebsite
bind *:80
http-request track-sc0 src table per_ip_rates
frontend fe_mywebsite
bind *:80
http-request track-sc0 src table per_ip_rates
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
Feb 8 17:15:07 localhost hapee-lb[19738]: 192.168.1.2:49528 [08/Feb/2018:17:15:07.182] fe_main fe_main/<NOSRV> 0/-1/-1/-1/0 429 188 - - PR-- 0/0/0/0/0 0/0 "GET / HTTP/1.1"
http-request track-sc0 src table per_ip_rates if METH_POST
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
timeout tarpit 5s
http-request tarpit if { sc_http_req_rate(0) gt 100 }
timeout http-request 5s
option http-buffer-request
http-request deny if HTTP_1.0
http-request deny if { req.hdr(user-agent) -i -m sub curl }
http-request deny if { req.hdr(user-agent) -i -m sub curl phantomjs slimerjs }
http-request deny if { req.hdr(user-agent) -i -m sub -f /etc/hapee-1.8/badagents.acl }
http-request deny unless { req.hdr(user-agent) -m found }
http-request deny if { src -f /etc/hapee-1.8/blacklist.acl }
1.0.1.0/24
1.0.2.0/23
1.0.8.0/21
1.0.32.0/19
1.1.0.0/24
1.1.2.0/23
1.1.4.0/22
# etc.
http-request deny if { src -f /etc/hapee-1.8/greylist.acl } { sc_http_req_rate(0) gt 5 }
dynamic-update
update id /etc/hapee-1.8/blacklist.acl url https://192.168.122.1/blacklist.acl delay 60s
frontend per_ip_connections
stick-table type ip size 1m expire 1m store conn_cur,conn_rate(1m)
frontend fe_smtp
mode tcp
bind :25
option tcplog
timeout client 1m
tcp-request content track-sc0 src table per_ip_connections
tcp-request content reject if { sc_conn_cur(0) gt 1 } || { sc_conn_rate(0) gt 5 }
default_backend be_smtp
backend be_smtp
mode tcp
timeout server 1m
option tcp-check #For SMTP specifically smtpchk can be used
server smtp1 162.216.18.221:25 maxconn 50 check
tcp-request inspect-delay 10s
tcp-request content accept if { sc_conn_rate(0) lt 2 }
tcp-request content reject if { req_len gt 0 }
use_backend be_website_bots if { sc_http_req_rate(0) gt 100 }
http-request silent-drop if { sc_http_req_rate(0) gt 100 }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment