Configuration
to monitor access
This configuration
just will TAG the external IP in the
abuse table, if need block something just remove the double #, to change
the level of monitoring increase or reduce the number of connection level.
#
ABUSE SECTION works with http mode dependent on src ip
##tcp-request content reject if { src_get_gpc0(Abuse) gt 5000 }
acl abuse src_http_req_rate(Abuse) ge 5000
acl flag_abuser src_inc_gpc0(Abuse) ge 100
acl scanner src_http_err_rate(Abuse) ge 5000
#
Abuse protection.
#
Sources that are not filtered.
tcp-request
content accept if { src -f /etc/haproxy/whitelist.lst }
#
Sources rejected immeditely.
tcp-request
content reject if { src -f /etc/haproxy/blacklist.lst }
#
Limiting the connection rate per client. No more than 5000 connections over 3
seconds.
##tcp-request content reject if { src_conn_rate(Abuse) ge 5000 }
#
Reject if more than 1000 connections from client.
#
This is to accommodate clients behind a NAT.
##tcp-request content reject if { src_conn_cur(Abuse) ge 1000 }
#
Block based on backend.
##tcp-request content reject if { src_get_gpc0(Abuse) gt 5000 }
#
Track counters based on forwarded ip.
##tcp-request content
track-sc1 src table Abuse
When the rule BLOCK is enabled you can choose the return 403 or silent-drop t9
# Returns a 403 to
the abuser and flags for tcp-reject next time
http-request deny if abuse flag_abuser
http-request deny if scanner flag_abuser
Monitoring
Show the stick table
that there the top IP
echo
"show table Abuse" | socat unix-connect:/var/run/haproxy/admin.sock
stdio
hatop -s
/var/run/haproxy/admin.sock
It's possible connect external tools like
Microsoft OMS
Datadog
Prometheus.
Splunk
And others APMs
