Use HAProxy Response Policies to Stop Threats

blog20200811-01.cfg

frontend www
    bind :80
    default_backend webservers
    
    # use a stick table to track request rates
    stick-table type ip size 100k expire 2m store http_req_rate(1m)     
    http-request track-sc0 src

    # Deny if they exceed the limit
    acl too_many_requests sc_http_req_rate(0) gt 20
    http-request deny deny_status 429 if too_many_requests

blog20200811-02.cfg

frontend www
    bind :80
    default_backend webservers
    
    # use a stick table to track request rates
    stick-table type ip size 100k expire 2m store http_req_rate(1m)     
    http-request track-sc0 src

    # Log if they exceed the limit
    acl too_many_requests sc_http_req_rate(0) gt 20
    http-request set-var(txn.ratelimited) str(RATE-LIMITED) if too_many_requests
    http-request capture var(txn.ratelimited) len 12

blog20200811-03.cfg

frontend www
    bind :80
    default_backend webservers
    http-request deny deny_status 429 if TRUE

blog20200811-04.cfg

frontend www
    bind :80
    default_backend webservers
    
    # use a stick table to track request rates
    stick-table type ip size 100k expire 2m store http_req_rate(1m)     
    http-request track-sc0 src

    # Deny if they exceed the limit
    acl too_many_requests sc_http_req_rate(0) gt 20
    http-request deny deny_status 429 hdr Denial-Reason "Exceeded rate limit" if too_many_requests

blog20200811-05.cfg

http-request deny deny_status 429 hdr Denial-Reason "Exceeded rate limit. You had: %[sc_http_req_rate(0)] requests." if too_many_requests

blog20200811-06.cfg

http-request deny deny_status 429 content-type text/html lf-string "<p>Per our policy, you are limited to 20 requests per minute, but you have exceeded that limit with %[sc_http_req_rate(0)] requests per minute.</p>" if too_many_requests

blog20200811-07.cfg

frontend www
    bind :80
    default_backend webservers
    timeout tarpit 10s
    http-request tarpit deny_status 403 if TRUE

blog20200811-08.cfg

frontend www
    bind :80
    default_backend webservers
    http-request silent-drop if TRUE

blog20200811-09.cfg

frontend www
    bind :80
    default_backend webservers
    tcp-request content reject if TRUE

blog20200811-10.cfg

http-request set-path /images/cat.jpeg if { path_beg /images/ } is_attacker

blog20200811-11.cfg

http-request return content-type text/html file /srv/www/fake_login.html if { path_beg /login } is_attacker