1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
# This sample configuration makes extensive use of the ACLs. It requires
# HAProxy version 1.3.12 minimum.
global
log loghost local0
log localhost local0 err
maxconn 250
uid 71
gid 71
chroot /var/empty
pidfile /var/run/haproxy.pid
daemon
quiet
frontend http-in
bind :80
mode http
log global
clitimeout 30000
option httplog
option dontlognull
#option logasap
option httpclose
maxconn 100
capture request header Host len 20
capture request header User-Agent len 16
capture request header Content-Length len 10
capture request header Referer len 20
capture response header Content-Length len 10
# block any unwanted source IP addresses or networks
acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
acl forbidden_src src_port 0:1023
block if forbidden_src
# block requests beginning with http:// on wrong domains
acl dangerous_pfx url_beg -i http://
acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
block if dangerous_pfx !valid_pfx
# block apache chunk exploit, ...
acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
acl forbidden_hdrs hdr_beg(host) -i apache- localhost
# ... some HTTP content smugling and other various things
acl forbidden_hdrs hdr_cnt(host) gt 1
acl forbidden_hdrs hdr_cnt(content-length) gt 1
acl forbidden_hdrs hdr_val(content-length) lt 0
acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
block if forbidden_hdrs
# block annoying worms that fill the logs...
acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
acl forbidden_uris url_sub -i %00 <script xmlrpc.php
acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
# block other common attacks (awstats, manual discovery...)
acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
block if forbidden_uris
# we rewrite the "options" request so that it only tries '*', and we
# only report GET, HEAD, POST and OPTIONS as valid methods
reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
acl host_demo hdr_beg(host) -i demo.
acl host_www2 hdr_beg(host) -i www2.
use_backend demo if host_demo
use_backend www2 if host_www2
default_backend www
backend www
mode http
source 192.168.21.2:0
balance roundrobin
cookie SERVERID
server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
# long timeout to support connection queueing
contimeout 20000
srvtimeout 20000
fullconn 100
redispatch
retries 3
option httpchk HEAD /
option forwardfor
option checkcache
option httpclose
# allow other syntactically valid requests, and block any other method
acl valid_method method GET HEAD POST OPTIONS
block if !valid_method
block if HTTP_URL_STAR !METH_OPTIONS
block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
# remove unnecessary precisions on the server version. Let's say
# it's an apache under Unix on the Formilux Distro.
rspidel ^Server:\
rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
defaults non_standard_bck
mode http
source 192.168.21.2:0
option forwardfor
option httpclose
balance roundrobin
fullconn 100
contimeout 20000
srvtimeout 20000
retries 2
backend www2
server www2 192.168.22.2:80 maxconn 10
# end of defaults
defaults none
backend demo
mode http
balance roundrobin
stats enable
stats uri /
stats scope http-in
stats scope www
stats scope demo
|
