Last active
August 2, 2020 16:38
-
-
Save thebongy/69614f0f346fb616ee118601016d5d01 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The first two global and default sections | |
| # are just the ones present by default in the config file | |
| # We leave these unchanged | |
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate | |
| ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |
| ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | |
| ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets | |
| defaults | |
| log global | |
| mode http | |
| option httplog | |
| option dontlognull | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| # Setup stats admin panel on port 8080 so we can view load statistics during the CTF | |
| listen stats | |
| bind *:8080 | |
| mode http | |
| stats enable | |
| stats uri / | |
| # DON'T FORGET TO CHANGE THE CREDENTIALS BELOW!! | |
| stats auth username:password | |
| # Setup a haproxy table to store connection information for each user IP adress | |
| # We'll use in each challenge to limit no of connections and the connection rate | |
| # for users | |
| backend Abuse | |
| stick-table type ip size 1m expire 10m store conn_rate(3s),conn_cur | |
| # Set the detault mode as TCP, so pwn challenges and netcat challenges work | |
| # Also set connection timeouts | |
| # most importantly, set the default backend to the cluster. We create this backend | |
| # in the end of this file | |
| defaults | |
| mode tcp | |
| default_backend chall-cluster | |
| timeout connect 5000 | |
| timeout client 50000 | |
| timeout server 50000 | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| # The below configurations have configurations for each and every challenge | |
| # For each case, we setup rules to reject connections in our blacklist file | |
| # and also setup rate limiting rules to a maximum connection rate of 50 every | |
| # 3 seconds, and a maximum of 50 simultaneous connections | |
| # Note that its possible to just create one frontend section and bind to multiple ports | |
| # too, by doing something like | |
| # | |
| # frontend challenges | |
| # tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| # tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| # tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| # tcp-request connection track-sc1 src table Abuse | |
| # bind *:30000-50000 | |
| # | |
| # | |
| # The reason we create multiple frontends, is just so that we can monitor them | |
| # individually on the stats admin panel that we created above in this file. If you | |
| # don't need to monitor on an individual challenge level, then just use the above | |
| # frontend rule and omit all the ones below | |
| # Change these to your challenges and ports, obviously | |
| # PWN | |
| frontend pwn-intended-0x1 | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30001 | |
| frontend pwn-intended-0x2 | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30007 | |
| frontend pwn-intended-0x3 | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30013 | |
| frontend global-warming | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30023 | |
| frontend smash | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30046 | |
| # WEB | |
| frontend body-count | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30202 | |
| frontend cascade | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30203 | |
| frontend ccc | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30125 | |
| frontend file-library | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30222 | |
| frontend mr-rami | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30231 | |
| frontend oreo | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30243 | |
| frontend the-confused-deputy | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30256 | |
| frontend the-usual-suspects | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30279 | |
| frontend warm-up | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30272 | |
| frontend secure-portal | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30281 | |
| # MISC | |
| frontend escape-plan | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30419 | |
| frontend friends | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30425 | |
| frontend prison-break | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30407 | |
| # REV | |
| frontend blaise | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30808 | |
| frontend vietnam | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30814 | |
| frontend aka | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30611 | |
| frontend where-am-i | |
| tcp-request connection reject if { src -f /etc/haproxy/blacklist.lst } | |
| tcp-request connection reject if { src_conn_rate(Abuse) ge 50 } | |
| tcp-request connection reject if { src_conn_cur(Abuse) ge 50 } | |
| tcp-request connection track-sc1 src table Abuse | |
| bind *:30623 | |
| # Lastly, create the chall-cluster backend | |
| # We setup HaProxy to use round robin load balancing | |
| # Add a server statement for each node's IP in your cluster | |
| backend chall-cluster | |
| mode tcp | |
| balance roundrobin | |
| server node1 10.154.0.19 | |
| server node2 10.154.0.22 | |
| server node3 10.154.0.21 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment