Created
August 11, 2020 20:37
-
-
Save haproxytechblog/bc6d1bbbcc04c128c76cd2635c8524c0 to your computer and use it in GitHub Desktop.
Use HAProxy Response Policies to Stop Threats
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
# use a stick table to track request rates | |
stick-table type ip size 100k expire 2m store http_req_rate(1m) | |
http-request track-sc0 src | |
# Deny if they exceed the limit | |
acl too_many_requests sc_http_req_rate(0) gt 20 | |
http-request deny deny_status 429 if too_many_requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
# use a stick table to track request rates | |
stick-table type ip size 100k expire 2m store http_req_rate(1m) | |
http-request track-sc0 src | |
# Log if they exceed the limit | |
acl too_many_requests sc_http_req_rate(0) gt 20 | |
http-request set-var(txn.ratelimited) str(RATE-LIMITED) if too_many_requests | |
http-request capture var(txn.ratelimited) len 12 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
http-request deny deny_status 429 if TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
# use a stick table to track request rates | |
stick-table type ip size 100k expire 2m store http_req_rate(1m) | |
http-request track-sc0 src | |
# Deny if they exceed the limit | |
acl too_many_requests sc_http_req_rate(0) gt 20 | |
http-request deny deny_status 429 hdr Denial-Reason "Exceeded rate limit" if too_many_requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny deny_status 429 hdr Denial-Reason "Exceeded rate limit. You had: %[sc_http_req_rate(0)] requests." if too_many_requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny deny_status 429 content-type text/html lf-string "<p>Per our policy, you are limited to 20 requests per minute, but you have exceeded that limit with %[sc_http_req_rate(0)] requests per minute.</p>" if too_many_requests |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
timeout tarpit 10s | |
http-request tarpit deny_status 403 if TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
http-request silent-drop if TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend www | |
bind :80 | |
default_backend webservers | |
tcp-request content reject if TRUE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request set-path /images/cat.jpeg if { path_beg /images/ } is_attacker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request return content-type text/html file /srv/www/fake_login.html if { path_beg /login } is_attacker |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment