| Willy Tarreau | 2272dc1 | 2006-09-03 10:19:38 +0200 | [diff] [blame] | 1 | # This configuration is an example of how to use connection tarpitting based |
| 2 | # on invalid requests. |
| 3 | |
| 4 | global |
| 5 | daemon |
| 6 | log 127.0.0.1 local0 |
| 7 | |
| 8 | listen frontend 0.0.0.0:80 |
| 9 | mode http |
| 10 | option httplog |
| 11 | log global |
| 12 | maxconn 10000 |
| 13 | |
| 14 | # do not log requests with no data |
| 15 | option dontlognull |
| 16 | |
| 17 | # log as soon as the server starts to respond, an do not wait for the |
| 18 | # end of the data transfer. |
| 19 | option logasap |
| 20 | |
| 21 | # disable keep-alive |
| 22 | option httpclose |
| 23 | |
| 24 | # load balancing mode set to round-robin |
| 25 | balance roundrobin |
| 26 | |
| 27 | # the maxconn 150 below means 150 connections maximum will be used |
| 28 | # on apache, the remaining ones will be queued. |
| 29 | server apache1 127.0.0.1:80 maxconn 150 |
| 30 | |
| 31 | # use short timeouts for client and server |
| 32 | clitimeout 20000 |
| 33 | srvtimeout 20000 |
| 34 | |
| 35 | # the connect timeout should be large because it will also be used |
| 36 | # to define the queue timeout and the tarpit timeout. It generally |
| 37 | # is a good idea to set it to the same value as both above, and it |
| 38 | # will improve performance when dealing with thousands of connections. |
| 39 | contimeout 20000 |
| 40 | |
| 41 | # retry only once when a valid connection fails because the server |
| 42 | # is overloaded. |
| 43 | retries 1 |
| 44 | |
| 45 | # You might want to enable this option if the attacks start |
| 46 | # targetting valid URLs. |
| 47 | # option abortonclose |
| 48 | |
| 49 | # not needed anymore. |
| 50 | #capture request header X-Forwarded-For len 15 |
| 51 | |
| 52 | # and add a new 'X-Forwarded-For: IP' |
| 53 | option forwardfor |
| 54 | |
| 55 | # how to access the status reporting web interface |
| 56 | stats uri /stat |
| 57 | stats auth stat:stat |
| 58 | |
| 59 | # Request header and URI processing begins here. |
| 60 | |
| 61 | # rename the 'X-Forwarded-For:' header as 'X-Forwarded-For2:' |
| 62 | reqirep ^(X-Forwarded-For:)(.*) X-Forwarded-For2:\2 |
| 63 | |
| 64 | #### Now check the URI for requests we want to tarpit ### |
| 65 | # We do not analyze headers, we just focus on the request |
| 66 | reqpass ^[^:\ ]*: |
| 67 | |
| 68 | # Tarpit those URIs for any method |
| 69 | reqtarpit ^[^:\ ]*\ /invalid_req1 |
| 70 | reqtarpit ^[^:\ ]*\ /cgi-bin/.*\.pl\? |
| 71 | reqitarpit ^[^:\ ]*\ /.*\.(dll|exe|asp) |
| 72 | |