{"id":13775793,"url":"https://github.com/analytically/haproxy-ddos","last_synced_at":"2025-05-11T08:33:26.132Z","repository":{"id":31853124,"uuid":"35420406","full_name":"analytically/haproxy-ddos","owner":"analytically","description":"DDOS and attack resilient HAProxy configuration. To be used behind CloudFlare.","archived":true,"fork":false,"pushed_at":"2016-07-20T10:17:22.000Z","size":125,"stargazers_count":238,"open_issues_count":3,"forks_count":54,"subscribers_count":16,"default_branch":"master","last_synced_at":"2024-08-03T17:12:14.936Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Smarty","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/analytically.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-05-11T11:42:04.000Z","updated_at":"2024-04-03T09:19:17.000Z","dependencies_parsed_at":"2022-08-29T13:10:31.115Z","dependency_job_id":null,"html_url":"https://github.com/analytically/haproxy-ddos","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/analytically%2Fhaproxy-ddos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/analytically%2Fhaproxy-ddos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/analytically%2Fhaproxy-ddos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/analytically%2Fhaproxy-ddos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/analytically","download_url":"https://codeload.github.com/analytically/haproxy-ddos/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225027561,"owners_count":17409460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:50.186Z","updated_at":"2024-11-17T10:32:03.999Z","avatar_url":"https://github.com/analytically.png","language":"Smarty","funding_links":[],"categories":["\u003ca id=\"d03d494700077f6a65092985c06bf8e8\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"d3069cac6097830d12f5933c9c8b7a77\"\u003e\u003c/a\u003eHAProxy"],"readme":"## haproxy-ddos\n\nDDOS and attack resilient [HAProxy](http://www.haproxy.org/) configuration. To be used behind [CloudFlare](https://www.cloudflare.com/).\nUse it to build [Docker](http://www.docker.com) container-based load balancers. Follow [@analytically](http://twitter.com/analytically) for updates. I welcome pull requests for blocking other attack vectors!\n\nPart inspired by [HAProxy termination in AWS](https://jve.linuxwall.info/ressources/taf/haproxy-aws/).\n\n### Building\n\n```sh\ndocker build -t mycompany/haproxy-ddos .\n```\n\n### Running\n\nMozilla's recommended configuration ['Modern'](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) is used. Mount the\ndirectory containing your SSL certificates (pem) as `/etc/ssl/private/`:\n\n```sh\ndocker run --cap-add=NET_ADMIN --restart=always -v /opt/mycompany/ssl:/etc/ssl/private \\ -t -i mycompany/haproxy-ddos bash\n```\n\nThis will give you a bash prompt into the Docker container. To customize the backends, edit [`haproxy.cfg.tpl`](https://github.com/analytically/haproxy-ddos/blob/master/haproxy.cfg.tpl).\n\n### Blocking\n\nUses two ways of blocking users: a simple deny via HTTP 200 response page and a tarpit. Tarpit stops the request without responding for a delay of\n10 seconds. After that delay, if the client is still connected, an HTTP error 500 is returned so that the client does not suspect it has been tarpitted.\n\nTracks client IPs into a global stick table. Each IP is stored for a limited amount of time, with several counters attached to it. When a new connection\ncomes in, the stick table is evaluated to verify that the new connection from this client is allowed to continue.\n\nThe client IP is provided by CloudFlare through the `CF-Connecting-IP` HTTP header.\n\n#### Deny block\n\nHTTP `200` for app backend, `403` for API backend.\n\n- IPs from the following countries (via http://ip.ludost.net/): af, ci, cu, ee, eg, er, id, iq, ir, kp, kr, lb, lr, ly, mm, my, ro, rs, sd, so, sy, th, tr, ua, vn, ye, zw\n- IPs http://www.wizcrafts.net/exploited-servers-iptables-blocklist.html\n- IPs http://www.wizcrafts.net/nigerian-iptables-blocklist.html\n- CyberGhost VPN, Hotspot Shield Elite VPN\n- TOR nodes on https://www.dan.me.uk/torlist/\n- DigitalOcean, ServerStack and AWS (VPS providers that can easily be used to setup VPN/TOR nodes)\n\n#### Tarpit block\n\n- TARPIT the new connection if the client already has 10 opened\n- TARPIT the new connection if the client has opened more than 20 connections in 3 seconds\n- TARPIT the connection if the client has passed the HTTP error rate (10s)\n- TARPIT the connection if the client has passed the HTTP request rate (10s)\n- TARPIT content-length larger than 20kB (eg. POST requests)\n- TARPIT requests with more than 10 Range headers (see http://httpd.apache.org/security/CVE-2011-3192.txt)\n- TARPIT requests for .ida .asp .dll .exe .sh .pl .py .so chat phpbb sumthin horde _vti_bin MSOffice %00 \u003cscript xmlrpc.php\n- TARPIT requests with illegal headers\n\n### HAProxy Stats\n\nAvailable on [http://localhost:9090](http://localhost:9090), use `haproxy/haproxy` for read-only access, `admin/FeYskS2qjP7qvED` for admin access.\n\n### Webhooks (via [CaptainHook](https://github.com/bketelsen/captainhook))\n\n#### Updating the TOR node list\n\n```sh\ncurl -X POST localhost:666/update-tor-exit-nodes\n```\n\n#### Restarting HAProxy\n\n```sh\ncurl -X POST localhost:666/restart-haproxy\n```\n\n### Issues\n\nDon't run on Docker using OverlayFS.\n\n### Logstash\n\nIf you set the environment variable `LOGSTASH_SERVICE_HOST` to the [Logstash](http://logstash.net/) host, HAProxy will log against it (port 5140).\nUse the following configuration to better deal with HAProxy's logging:\n\n```\nif [type] == \"haproxy\" {\n    grok {\n      match           =\u003e [\"message\", \"%{IP:client_ip}:%{INT:client_port} \\[%{HAPROXYDATE:accept_date}\\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\\{%{DATA:request_header_host}\\|%{DATA:request_header_x_forwarded_for}\\|%{DATA:request_header_accept_language}\\|%{DATA:request_header_referer}\\|%{DATA:request_header_user_agent}\\|%{DATA:request_cf_ip_country}\\|%{DATA:request_cf_connecting_ip}\\|%{DATA:request_cf_ray}\\|%{DATA:request_content_length}\\|%{DATA:request_haproxy_acl}\\|%{DATA:request_haproxy_tarpit}\\|%{DATA:request_bc_api_access_key}\\})?( )?(\\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\\})?( )?\\\"(\u003cBADREQ\u003e|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?\"]\n    }\n\n    # Re-do the timestamp, because haproxy logs come with sub-second precision\n    date {\n      match           =\u003e [\"accept_date\", \"d/MMM/YYYY:HH:mm:ss.SSS\"]\n      timezone        =\u003e \"UTC\"\n      remove_field    =\u003e [\"accept_date\", \"haproxy_monthday\", \"haproxy_month\", \"haproxy_time\", \"haproxy_year\", \"haproxy_month\", \"haproxy_hour\", \"haproxy_minute\", \"haproxy_second\", \"haproxy_milliseconds\"]\n      add_tag         =\u003e \"haproxy\"\n    }\n\n    geoip {\n      source          =\u003e \"request_cf_connecting_ip\"\n      target          =\u003e \"geoip\"\n      add_field       =\u003e [\"[geoip][coordinates]\",\"%{[geoip][longitude]}\"]\n      add_field       =\u003e [\"[geoip][coordinates]\",\"%{[geoip][latitude]}\"]\n      add_tag         =\u003e [ \"geoip\" ]\n    }\n\n    # Clean up\n    if [captured_request_cookie] == \"-\" { mutate { remove_field =\u003e \"captured_request_cookie\" } }\n    if [captured_response_cookie] == \"-\" { mutate { remove_field =\u003e \"captured_response_cookie\" } }\n\n    mutate {\n      replace =\u003e [\"type\", \"haproxy\"]\n      convert =\u003e [ \"client_port\", \"integer\" ]\n      convert =\u003e [ \"time_request\", \"integer\" ]\n      convert =\u003e [ \"time_queue\", \"integer\" ]\n      convert =\u003e [ \"time_backend_connect\", \"integer\" ]\n      convert =\u003e [ \"time_backend_response\", \"integer\" ]\n      convert =\u003e [ \"time_duration\", \"integer\" ]\n      convert =\u003e [ \"http_status_code\", \"integer\" ]\n      convert =\u003e [ \"bytes_read\", \"integer\" ]\n      convert =\u003e [ \"actconn\", \"integer\" ]\n      convert =\u003e [ \"feconn\", \"integer\" ]\n      convert =\u003e [ \"beconn\", \"integer\" ]\n      convert =\u003e [ \"srvconn\", \"integer\" ]\n      convert =\u003e [ \"retries\", \"integer\" ]\n      convert =\u003e [ \"srv_queue\", \"integer\" ]\n      convert =\u003e [ \"backend_queue\", \"integer\" ]\n      convert =\u003e [ \"[geoip][coordinates]\", \"float\" ]\n      uppercase =\u003e [ \"http_verb\" ]\n    }\n  }\n```\n\n### License\n\nLicensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0).\n\nCopyright 2015 [Mathias Bogaert](mailto:mathias.bogaert@gmail.com).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanalytically%2Fhaproxy-ddos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanalytically%2Fhaproxy-ddos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanalytically%2Fhaproxy-ddos/lists"}