blob: 1872789ac2d1198f4321e77c0dad4f382cc8f206 [file] [log] [blame]
Willy Tarreaub21152b2007-06-17 23:41:40 +02001# This sample configuration makes extensive use of the ACLs. It requires
2# HAProxy version 1.3.12 minimum.
3
4global
5 log loghost local0
6 log localhost local0 err
7 maxconn 250
8 uid 71
9 gid 71
10 chroot /var/empty
11 pidfile /var/run/haproxy.pid
12 daemon
13 quiet
14
15frontend http-in
16 bind :80
17 mode http
18 log global
19 clitimeout 30000
20 option httplog
21 option dontlognull
22 #option logasap
23 option httpclose
24 maxconn 100
25
26 capture request header Host len 20
27 capture request header User-Agent len 16
28 capture request header Content-Length len 10
29 capture request header Referer len 20
30 capture response header Content-Length len 10
31
32 # block any unwanted source IP addresses or networks
33 acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
34 acl forbidden_src src_port 0:1023
35 block if forbidden_src
36
37 # block requests beginning with http:// on wrong domains
38 acl dangerous_pfx url_beg -i http://
39 acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
40 block if dangerous_pfx !valid_pfx
41
42 # block apache chunk exploit, ...
43 acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
44 acl forbidden_hdrs hdr_beg(host) -i apache- localhost
45
46 # ... some HTTP content smugling and other various things
47 acl forbidden_hdrs hdr_cnt(host) gt 1
48 acl forbidden_hdrs hdr_cnt(content-length) gt 1
49 acl forbidden_hdrs hdr_val(content-length) lt 0
50 acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
51 block if forbidden_hdrs
52
53 # block annoying worms that fill the logs...
54 acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
55 acl forbidden_uris url_sub -i %00 <script xmlrpc.php
56 acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
57
58 # block other common attacks (awstats, manual discovery...)
59 acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
60 acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
61 block if forbidden_uris
62
63 # we rewrite the "options" request so that it only tries '*', and we
64 # only report GET, HEAD, POST and OPTIONS as valid methods
65 reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
66 rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
67
68 acl host_demo hdr_beg(host) -i demo.
69 acl host_www2 hdr_beg(host) -i www2.
70
71 use_backend demo if host_demo
72 use_backend www2 if host_www2
73 default_backend www
74
75backend www
76 mode http
77 source 192.168.21.2:0
78 balance roundrobin
79 cookie SERVERID
80 server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
81 server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
82
83 # long timeout to support connection queueing
84 contimeout 20000
85 srvtimeout 20000
86 fullconn 100
87 redispatch
88 retries 3
89
90 option httpchk HEAD /
91 option forwardfor
92 option checkcache
93 option httpclose
94
95 # allow other syntactically valid requests, and block any other method
96 acl valid_method method GET HEAD POST OPTIONS
97 block if !valid_method
98 block if HTTP_URL_STAR !METH_OPTIONS
99 block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
100
101 # remove unnecessary precisions on the server version. Let's say
102 # it's an apache under Unix on the Formilux Distro.
103 rspidel ^Server:\
104 rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
105
106defaults non_standard_bck
107 mode http
108 source 192.168.21.2:0
109 option forwardfor
110 option httpclose
111 balance roundrobin
112 fullconn 100
113 contimeout 20000
114 srvtimeout 20000
115 retries 2
116
117backend www2
118 server www2 192.168.22.2:80 maxconn 10
119
120# end of defaults
121defaults none
122
123backend demo
124 mode http
125 balance roundrobin
126 stats enable
127 stats uri /
128 stats scope http-in
129 stats scope www
130 stats scope demo