1# This sample configuration makes extensive use of the ACLs. It requires 2# HAProxy version 1.3.12 minimum. 3 4global 5 log loghost local0 6 log localhost local0 err 7 maxconn 250 8 uid 71 9 gid 71 10 chroot /var/empty 11 pidfile /var/run/haproxy.pid 12 daemon 13 quiet 14 15frontend http-in 16 bind :80 17 mode http 18 log global 19 clitimeout 30000 20 option httplog 21 option dontlognull 22 #option logasap 23 option httpclose 24 maxconn 100 25 26 capture request header Host len 20 27 capture request header User-Agent len 16 28 capture request header Content-Length len 10 29 capture request header Referer len 20 30 capture response header Content-Length len 10 31 32 # block any unwanted source IP addresses or networks 33 acl forbidden_src src 0.0.0.0/7 224.0.0.0/3 34 acl forbidden_src src_port 0:1023 35 block if forbidden_src 36 37 # block requests beginning with http:// on wrong domains 38 acl dangerous_pfx url_beg -i http:// 39 acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/ 40 block if dangerous_pfx !valid_pfx 41 42 # block apache chunk exploit, ... 43 acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked 44 acl forbidden_hdrs hdr_beg(host) -i apache- localhost 45 46 # ... some HTTP content smugling and other various things 47 acl forbidden_hdrs hdr_cnt(host) gt 1 48 acl forbidden_hdrs hdr_cnt(content-length) gt 1 49 acl forbidden_hdrs hdr_val(content-length) lt 0 50 acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0 51 block if forbidden_hdrs 52 53 # block annoying worms that fill the logs... 54 acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\) 55 acl forbidden_uris url_sub -i %00 <script xmlrpc.php 56 acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll 57 58 # block other common attacks (awstats, manual discovery...) 59 acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice 60 acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://) 61 block if forbidden_uris 62 63 # we rewrite the "options" request so that it only tries '*', and we 64 # only report GET, HEAD, POST and OPTIONS as valid methods 65 reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0 66 rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS 67 68 acl host_demo hdr_beg(host) -i demo. 69 acl host_www2 hdr_beg(host) -i www2. 70 71 use_backend demo if host_demo 72 use_backend www2 if host_www2 73 default_backend www 74 75backend www 76 mode http 77 source 192.168.21.2:0 78 balance roundrobin 79 cookie SERVERID 80 server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10 81 server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8 82 83 # long timeout to support connection queueing 84 contimeout 20000 85 srvtimeout 20000 86 fullconn 100 87 redispatch 88 retries 3 89 90 option httpchk HEAD / 91 option forwardfor 92 option checkcache 93 option httpclose 94 95 # allow other syntactically valid requests, and block any other method 96 acl valid_method method GET HEAD POST OPTIONS 97 block if !valid_method 98 block if HTTP_URL_STAR !METH_OPTIONS 99 block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS 100 101 # remove unnecessary precisions on the server version. Let's say 102 # it's an apache under Unix on the Formilux Distro. 103 rspidel ^Server:\ 104 rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8) 105 106defaults non_standard_bck 107 mode http 108 source 192.168.21.2:0 109 option forwardfor 110 option httpclose 111 balance roundrobin 112 fullconn 100 113 contimeout 20000 114 srvtimeout 20000 115 retries 2 116 117backend www2 118 server www2 192.168.22.2:80 maxconn 10 119 120# end of defaults 121defaults none 122 123backend demo 124 mode http 125 balance roundrobin 126 stats enable 127 stats uri / 128 stats scope http-in 129 stats scope www 130 stats scope demo 131