+++ /dev/null
-# This sample configuration makes extensive use of the ACLs. It requires
-# HAProxy version 1.3.12 minimum.
-
-global
- log loghost local0
- log localhost local0 err
- maxconn 250
- uid 71
- gid 71
- chroot /var/empty
- pidfile /var/run/haproxy.pid
- daemon
- quiet
-
-frontend http-in
- bind :80
- mode http
- log global
- clitimeout 30000
- option httplog
- option dontlognull
- #option logasap
- option httpclose
- maxconn 100
-
- capture request header Host len 20
- capture request header User-Agent len 16
- capture request header Content-Length len 10
- capture request header Referer len 20
- capture response header Content-Length len 10
-
- # block any unwanted source IP addresses or networks
- acl forbidden_src src 0.0.0.0/7 224.0.0.0/3
- acl forbidden_src src_port 0:1023
- block if forbidden_src
-
- # block requests beginning with http:// on wrong domains
- acl dangerous_pfx url_beg -i http://
- acl valid_pfx url_reg -i ^http://[^/]*1wt\.eu/
- block if dangerous_pfx !valid_pfx
-
- # block apache chunk exploit, ...
- acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
- acl forbidden_hdrs hdr_beg(host) -i apache- localhost
-
- # ... some HTTP content smugling and other various things
- acl forbidden_hdrs hdr_cnt(host) gt 1
- acl forbidden_hdrs hdr_cnt(content-length) gt 1
- acl forbidden_hdrs hdr_val(content-length) lt 0
- acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
- block if forbidden_hdrs
-
- # block annoying worms that fill the logs...
- acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
- acl forbidden_uris url_sub -i %00 <script xmlrpc.php
- acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida /awstats.pl .asp .dll
-
- # block other common attacks (awstats, manual discovery...)
- acl forbidden_uris path_dir -i chat main.php read_dump.php viewtopic.php phpbb sumthin horde _vti_bin MSOffice
- acl forbidden_uris url_reg -i (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
- block if forbidden_uris
-
- # we rewrite the "options" request so that it only tries '*', and we
- # only report GET, HEAD, POST and OPTIONS as valid methods
- reqirep ^OPTIONS\ /.*HTTP/1\.[01]$ OPTIONS\ \\*\ HTTP/1.0
- rspirep ^Allow:\ .* Allow:\ GET,\ HEAD,\ POST,\ OPTIONS
-
- acl host_demo hdr_beg(host) -i demo.
- acl host_www2 hdr_beg(host) -i www2.
-
- use_backend demo if host_demo
- use_backend www2 if host_www2
- default_backend www
-
-backend www
- mode http
- source 192.168.21.2:0
- balance roundrobin
- cookie SERVERID
- server www1 192.168.12.2:80 check inter 30000 rise 2 fall 3 maxconn 10
- server back 192.168.11.2:80 check inter 30000 rise 2 fall 5 backup cookie back maxconn 8
-
- # long timeout to support connection queueing
- contimeout 20000
- srvtimeout 20000
- fullconn 100
- redispatch
- retries 3
-
- option httpchk HEAD /
- option forwardfor
- option checkcache
- option httpclose
-
- # allow other syntactically valid requests, and block any other method
- acl valid_method method GET HEAD POST OPTIONS
- block if !valid_method
- block if HTTP_URL_STAR !METH_OPTIONS
- block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
-
- # remove unnecessary precisions on the server version. Let's say
- # it's an apache under Unix on the Formilux Distro.
- rspidel ^Server:\
- rspadd Server:\ Apache\ (Unix;\ Formilux/0.1.8)
-
-defaults non_standard_bck
- mode http
- source 192.168.21.2:0
- option forwardfor
- option httpclose
- balance roundrobin
- fullconn 100
- contimeout 20000
- srvtimeout 20000
- retries 2
-
-backend www2
- server www2 192.168.22.2:80 maxconn 10
-
-# end of defaults
-defaults none
-
-backend demo
- mode http
- balance roundrobin
- stats enable
- stats uri /
- stats scope http-in
- stats scope www
- stats scope demo
projects / thirdparty / haproxy.git / commitdiff
