blob: e5c929805cb0ba54ef3567a6332d4f49fc931ea5 [file] [log] [blame]
Willy Tarreau2272dc12006-09-03 10:19:38 +02001# This configuration is an example of how to use connection tarpitting based
2# on invalid requests.
3
4global
5 daemon
6 log 127.0.0.1 local0
7
8listen frontend 0.0.0.0:80
9 mode http
10 option httplog
11 log global
12 maxconn 10000
13
14 # do not log requests with no data
15 option dontlognull
16
17 # log as soon as the server starts to respond, an do not wait for the
18 # end of the data transfer.
19 option logasap
20
21 # disable keep-alive
22 option httpclose
23
24 # load balancing mode set to round-robin
25 balance roundrobin
26
27 # the maxconn 150 below means 150 connections maximum will be used
28 # on apache, the remaining ones will be queued.
29 server apache1 127.0.0.1:80 maxconn 150
30
31 # use short timeouts for client and server
32 clitimeout 20000
33 srvtimeout 20000
34
35 # the connect timeout should be large because it will also be used
36 # to define the queue timeout and the tarpit timeout. It generally
37 # is a good idea to set it to the same value as both above, and it
38 # will improve performance when dealing with thousands of connections.
39 contimeout 20000
40
41 # retry only once when a valid connection fails because the server
42 # is overloaded.
43 retries 1
44
45 # You might want to enable this option if the attacks start
46 # targetting valid URLs.
47 # option abortonclose
48
49 # not needed anymore.
50 #capture request header X-Forwarded-For len 15
51
52 # and add a new 'X-Forwarded-For: IP'
53 option forwardfor
54
55 # how to access the status reporting web interface
56 stats uri /stat
57 stats auth stat:stat
58
59 # Request header and URI processing begins here.
60
61 # rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:'
62 reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2
63
64 #### Now check the URI for requests we want to tarpit ###
65 # We do not analyze headers, we just focus on the request
66 reqpass ^[^:\ ]*:
67
68 # Tarpit those URIs for any method
69 reqtarpit ^[^:\ ]*\ /invalid_req1
70 reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\?
71 reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp)
72