examples/acl-content-sw.cfg - haproxy - Gitiles

 # This sample configuration makes extensive use of the ACLs. It requires
 # HAProxy version 1.3.12 minimum.

 global
 	log	   loghost   local0
 	log	   localhost local0 err
 	maxconn	   250
 	uid	   71
 	gid	   71
 	chroot	   /var/empty
 	pidfile	   /var/run/haproxy.pid
 	daemon
 	quiet

 frontend http-in
 	bind       :80
 	mode       http
 	log        global
 	clitimeout 30000
 	option     httplog
 	option     dontlognull
 	#option    logasap
 	option     httpclose
 	maxconn    100

 	capture request  header Host           len 20
 	capture request  header User-Agent     len 16
 	capture request  header Content-Length len 10
 	capture request  header Referer        len 20
 	capture response header Content-Length len 10

 	# block any unwanted source IP addresses or networks
 	acl forbidden_src src      0.0.0.0/7 224.0.0.0/3
 	acl forbidden_src src_port 0:1023
 	block if forbidden_src

 	# block requests beginning with http:// on wrong domains
 	acl dangerous_pfx  url_beg -i  http://
 	acl valid_pfx      url_reg -i ^http://[^/]*1wt\.eu/
 	block if dangerous_pfx !valid_pfx

 	# block apache chunk exploit, ...
 	acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
 	acl forbidden_hdrs hdr_beg(host)              -i apache- localhost

 	# ... some HTTP content smugling and other various things
 	acl forbidden_hdrs hdr_cnt(host) gt 1
 	acl forbidden_hdrs hdr_cnt(content-length) gt 1
 	acl forbidden_hdrs hdr_val(content-length) lt 0
 	acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
 	block if forbidden_hdrs

 	# block annoying worms that fill the logs...
 	acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
 	acl forbidden_uris url_sub -i %00 <script xmlrpc.php
 	acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll

 	# block other common attacks (awstats, manual discovery...)
 	acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
 	acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
 	block if forbidden_uris

 	# we rewrite the "options" request so that it only tries '*', and we
 	# only report GET, HEAD, POST and OPTIONS as valid methods
 	reqirep		^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
 	rspirep		^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS

 	acl host_demo   hdr_beg(host) -i demo.
 	acl host_www2   hdr_beg(host) -i www2.

 	use_backend	demo   if host_demo
 	use_backend	www2   if host_www2
 	default_backend	www

 backend www
 	mode	http
 	source	192.168.21.2:0
 	balance roundrobin
 	cookie SERVERID
 	server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
 	server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8

 	# long timeout to support connection queueing
 	contimeout	20000
 	srvtimeout	20000
 	fullconn 100
 	redispatch
 	retries	3

 	option httpchk HEAD /
 	option forwardfor
 	option checkcache
 	option httpclose

 	# allow other syntactically valid requests, and block any other method
         acl valid_method method GET HEAD POST OPTIONS
         block if !valid_method
         block if HTTP_URL_STAR !METH_OPTIONS
         block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS

 	# remove unnecessary precisions on the server version. Let's say
 	# it's an apache under Unix on the Formilux Distro.
 	rspidel		^Server:\
 	rspadd		Server:\ Apache\ (Unix;\ Formilux/0.1.8)

 defaults non_standard_bck
 	mode	http
 	source	192.168.21.2:0
 	option forwardfor
 	option httpclose
 	balance roundrobin
 	fullconn 100
 	contimeout	20000
 	srvtimeout	20000
 	retries	2

 backend www2
 	server www2 192.168.22.2:80 maxconn 10

 # end of defaults
 defaults none

 backend demo
 	mode http
 	balance roundrobin
 	stats enable
 	stats uri /
 	stats scope http-in
 	stats scope www
 	stats scope demo
	# This sample configuration makes extensive use of the ACLs. It requires
	# HAProxy version 1.3.12 minimum.

	global
	log loghost local0
	log localhost local0 err
	maxconn 250
	uid 71
	gid 71
	chroot /var/empty
	pidfile /var/run/haproxy.pid
	daemon
	quiet

	frontend http-in
	bind :80
	mode http
	log global
	clitimeout 30000
	option httplog
	option dontlognull
	#option logasap
	option httpclose
	maxconn 100

	capture request header Host len 20
	capture request header User-Agent len 16
	capture request header Content-Length len 10
	capture request header Referer len 20
	capture response header Content-Length len 10

	# block any unwanted source IP addresses or networks
	acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
	acl forbidden_src src_port 0:1023
	block if forbidden_src

	# block requests beginning with http:// on wrong domains
	acl dangerous_pfx url_beg -i http://
	acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
	block if dangerous_pfx !valid_pfx

	# block apache chunk exploit, ...
	acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
	acl forbidden_hdrs hdr_beg(host) -i apache- localhost

	# ... some HTTP content smugling and other various things
	acl forbidden_hdrs hdr_cnt(host) gt 1
	acl forbidden_hdrs hdr_cnt(content-length) gt 1
	acl forbidden_hdrs hdr_val(content-length) lt 0
	acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
	block if forbidden_hdrs

	# block annoying worms that fill the logs...
	acl forbidden_uris url_reg -i .*(\.\|%2e)(\.\|%2e)(%2f\|%5c\|/\|\\\\)
	acl forbidden_uris url_sub -i %00 <script xmlrpc.php
	acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll

	# block other common attacks (awstats, manual discovery...)
	acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
	acl forbidden_uris url_reg -i (\.php\?temppath=\|\.php\?setmodules=\|[=:]http://)
	block if forbidden_uris

	# we rewrite the "options" request so that it only tries '*', and we
	# only report GET, HEAD, POST and OPTIONS as valid methods
	reqirep ^OPTIONS\ /.HTTP/1\.[01]$ OPTIONS\ \\\ HTTP/1.0
	rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS

	acl host_demo hdr_beg(host) -i demo.
	acl host_www2 hdr_beg(host) -i www2.

	use_backend demo if host_demo
	use_backend www2 if host_www2
	default_backend www

	backend www
	mode http
	source 192.168.21.2:0
	balance roundrobin
	cookie SERVERID
	server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
	server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8

	# long timeout to support connection queueing
	contimeout 20000
	srvtimeout 20000
	fullconn 100
	redispatch
	retries 3

	option httpchk HEAD /
	option forwardfor
	option checkcache
	option httpclose

	# allow other syntactically valid requests, and block any other method
	acl valid_method method GET HEAD POST OPTIONS
	block if !valid_method
	block if HTTP_URL_STAR !METH_OPTIONS
	block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS

	# remove unnecessary precisions on the server version. Let's say
	# it's an apache under Unix on the Formilux Distro.
	rspidel ^Server:\
	rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)

	defaults non_standard_bck
	mode http
	source 192.168.21.2:0
	option forwardfor
	option httpclose
	balance roundrobin
	fullconn 100
	contimeout 20000
	srvtimeout 20000
	retries 2

	backend www2
	server www2 192.168.22.2:80 maxconn 10

	# end of defaults
	defaults none

	backend demo
	mode http
	balance roundrobin
	stats enable
	stats uri /
	stats scope http-in
	stats scope www
	stats scope demo