Last active
April 3, 2019 13:52
-
-
Save haproxytechblog/95650863fab680068ecb5157215335d7 to your computer and use it in GitHub Desktop.
Extending HAProxy with the Stream Processing Offload Engine
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend myproxy | |
| filter spoe [engine <name>] config <spoe-config-file> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| frontend myproxy | |
| mode http | |
| bind :80 | |
| # Declare filter and its config file | |
| filter spoe engine ip-reputation config iprep.conf | |
| # Reject connection if the IP reputation is under 20 | |
| tcp-request content reject if { var(sess.iprep.ip_score) -m int lt 20 } | |
| default_backend webservers | |
| # Normal web servers backend | |
| backend webservers | |
| mode http | |
| balance roundrobin | |
| server web1 192.168.0.5:80 check | |
| # Backend used by the ip-reputation SPOE | |
| backend agents | |
| mode tcp | |
| balance roundrobin | |
| timeout connect 5s # greater than hello timeout | |
| timeout server 3m # greater than idle timeout | |
| option spop-check | |
| server agent1 192.168.1.10:12345 check | |
| server agent2 192.168.1.11:12345 check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ip-reputation] | |
| spoe-agent iprep-agent | |
| messages check-client-ip | |
| option var-prefix iprep | |
| timeout hello 2s | |
| timeout idle 2m | |
| timeout processing 10ms | |
| use-backend agents | |
| log global | |
| spoe-message check-client-ip | |
| args ip=src | |
| event on-client-session if ! { src -f /etc/haproxy/whitelist.lst } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| spoe-message check-client-ip | |
| args ip=src | |
| event on-client-session if ! { src -f /etc/haproxy/whitelist.lst } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tcp-request content reject if { var(sess.iprep.ip_score) -m int lt 20 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http-request capture var(sess.iprep.ip_score) len 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 192.168.112.1:43670 [19/Feb/2019:21:40:41.197] myproxy | |
| webservers/web1 0/0/0/0/+0 200 +101 - - ---- | |
| 1/1/1/1/0 0/0 {92} "GET / HTTP/1.1" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment