| # |
| # demo config for Proxy mode |
| # |
| |
| global |
| maxconn 20000 |
| ulimit-n 16384 |
| log 127.0.0.1 local0 |
| uid 200 |
| gid 200 |
| chroot /var/empty |
| daemon |
| |
| frontend test-proxy |
| bind 192.168.200.10:8080 |
| mode http |
| log global |
| option httplog |
| option dontlognull |
| maxconn 8000 |
| timeout client 30s |
| |
| # layer3: Valid users |
| acl allow_host src 192.168.200.150/32 |
| http-request deny if !allow_host |
| |
| # layer7: prevent private network relaying |
| acl forbidden_dst url_ip 192.168.0.0/24 |
| acl forbidden_dst url_ip 172.16.0.0/12 |
| acl forbidden_dst url_ip 10.0.0.0/8 |
| http-request deny if forbidden_dst |
| |
| default_backend test-proxy-srv |
| |
| |
| backend test-proxy-srv |
| mode http |
| timeout connect 5s |
| timeout server 5s |
| retries 2 |
| |
| # layer7: Only GET method is valid |
| acl valid_method method GET |
| http-request deny if !valid_method |
| |
| # take IP address from URL's authority |
| # and drop scheme+authority from URI |
| http-request set-dst url_ip |
| http-request set-dst-port url_port |
| http-request set-uri %[pathq] |
| server next-hop 0.0.0.0 |
| |
| # layer7: protect bad reply |
| http-response deny if { res.hdr(content-type) audio/mp3 } |