examples/tarpit.cfg - haproxy - Gitiles

 # This configuration is an example of how to use connection tarpitting based
 # on invalid requests.

 global
         daemon
         log 127.0.0.1 local0

 listen  frontend 0.0.0.0:80
         mode    http
         option  httplog
         log     global
         maxconn 10000

 	# do not log requests with no data
         option  dontlognull

 	# log as soon as the server starts to respond, an do not wait for the
 	# end of the data transfer.
         option  logasap

 	# disable keep-alive
         option  httpclose

 	# load balancing mode set to round-robin
         balance roundrobin

         # the maxconn 150 below means 150 connections maximum will be used
         # on apache, the remaining ones will be queued.
 	server  apache1 127.0.0.1:80 maxconn 150

         # use short timeouts for client and server
         clitimeout      20000
         srvtimeout      20000

 	# the connect timeout should be large because it will also be used
 	# to define the queue timeout and the tarpit timeout. It generally
 	# is a good idea to set it to the same value as both above, and it
 	# will improve performance when dealing with thousands of connections.
         contimeout      20000

 	# retry only once when a valid connection fails because the server
 	# is overloaded.
         retries 1

         # You might want to enable this option if the attacks start
         # targetting valid URLs.
         # option abortonclose

 	# not needed anymore.
 	#capture request header X-Forwarded-For len 15

 	# and add a new 'X-Forwarded-For: IP'
         option  forwardfor

 	# how to access the status reporting web interface
         stats uri /stat
         stats auth stat:stat

 	# Request header and URI processing begins here.

 	# rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'
         reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2

 	#### Now check the URI for requests we want to tarpit ###
 	# We do not analyze headers, we just focus on the request
 	reqpass ^[^:\ ]*:

 	# Tarpit those URIs for any method
         reqtarpit  ^[^:\ ]*\ /invalid_req1
         reqtarpit  ^[^:\ ]*\ /cgi-bin/.*\.pl\?
         reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp)
	# This configuration is an example of how to use connection tarpitting based
	# on invalid requests.

	global
	daemon
	log 127.0.0.1 local0

	listen frontend 0.0.0.0:80
	mode http
	option httplog
	log global
	maxconn 10000

	# do not log requests with no data
	option dontlognull

	# log as soon as the server starts to respond, an do not wait for the
	# end of the data transfer.
	option logasap

	# disable keep-alive
	option httpclose

	# load balancing mode set to round-robin
	balance roundrobin

	# the maxconn 150 below means 150 connections maximum will be used
	# on apache, the remaining ones will be queued.
	server apache1 127.0.0.1:80 maxconn 150

	# use short timeouts for client and server
	clitimeout 20000
	srvtimeout 20000

	# the connect timeout should be large because it will also be used
	# to define the queue timeout and the tarpit timeout. It generally
	# is a good idea to set it to the same value as both above, and it
	# will improve performance when dealing with thousands of connections.
	contimeout 20000

	# retry only once when a valid connection fails because the server
	# is overloaded.
	retries 1

	# You might want to enable this option if the attacks start
	# targetting valid URLs.
	# option abortonclose

	# not needed anymore.
	#capture request header X-Forwarded-For len 15

	# and add a new 'X-Forwarded-For: IP'
	option forwardfor

	# how to access the status reporting web interface
	stats uri /stat
	stats auth stat:stat

	# Request header and URI processing begins here.

	# rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'
	reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2

	#### Now check the URI for requests we want to tarpit ###
	# We do not analyze headers, we just focus on the request
	reqpass ^[^:\ ]*:

	# Tarpit those URIs for any method
	reqtarpit ^[^:\ ]*\ /invalid_req1
	reqtarpit ^[^:\ ]\ /cgi-bin/.\.pl\?
	reqitarpit ^[^:\ ]\ /.\.(dll\|exe\|asp)