View file File name : acl-content-sw.cfg Content :# This sample configuration makes extensive use of the ACLs. It requires # HAProxy version 1.3.12 minimum. global log loghost local0 log localhost local0 err maxconn 250 uid 71 gid 71 chroot /var/empty pidfile /var/run/haproxy.pid daemon quiet frontend http-in bind :80 mode http log global clitimeout 30000 option httplog option dontlognull #option logasap option httpclose maxconn 100 capture request header Host len 20 capture request header User-Agent len 16 capture request header Content-Length len 10 capture request header Referer len 20 capture response header Content-Length len 10 # block any unwanted source IP addresses or networks acl forbidden_src src 0.0.0.0/7 224.0.0.0/3 acl forbidden_src src_port 0:1023 block if forbidden_src # block requests beginning with http:// on wrong domains acl dangerous_pfx url_beg -i http:// acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/ block if dangerous_pfx !valid_pfx # block apache chunk exploit, ... acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked acl forbidden_hdrs hdr_beg(host) -i apache- localhost # ... some HTTP content smugling and other various things acl forbidden_hdrs hdr_cnt(host) gt 1 acl forbidden_hdrs hdr_cnt(content-length) gt 1 acl forbidden_hdrs hdr_val(content-length) lt 0 acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0 block if forbidden_hdrs # block annoying worms that fill the logs... acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\) acl forbidden_uris url_sub -i %00 <script xmlrpc.php acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll # block other common attacks (awstats, manual discovery...) acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://) block if forbidden_uris # we rewrite the "options" request so that it only tries '*', and we # only report GET, HEAD, POST and OPTIONS as valid methods reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0 rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS acl host_demo hdr_beg(host) -i demo. acl host_www2 hdr_beg(host) -i www2. use_backend demo if host_demo use_backend www2 if host_www2 default_backend www backend www mode http source 192.168.21.2:0 balance roundrobin cookie SERVERID server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10 server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8 # long timeout to support connection queueing contimeout 20000 srvtimeout 20000 fullconn 100 redispatch retries 3 option httpchk HEAD / option forwardfor option checkcache option httpclose # allow other syntactically valid requests, and block any other method acl valid_method method GET HEAD POST OPTIONS block if !valid_method block if HTTP_URL_STAR !METH_OPTIONS block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS # remove unnecessary precisions on the server version. Let's say # it's an apache under Unix on the Formilux Distro. rspidel ^Server:\ rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8) defaults non_standard_bck mode http source 192.168.21.2:0 option forwardfor option httpclose balance roundrobin fullconn 100 contimeout 20000 srvtimeout 20000 retries 2 backend www2 server www2 192.168.22.2:80 maxconn 10 # end of defaults defaults none backend demo mode http balance roundrobin stats enable stats uri / stats scope http-in stats scope www stats scope demo