WAF базовый, rate limiting, DDoS защита, security headers
WAF базовый, rate limiting, DDoS защита, security headers.
frontend http_front
bind *:80
# Stick table для отслеживания
stick-table type ip size 100k expire 30s store http_req_rate(10s)
# Отслеживание IP
http-request track-sc0 src
# Блокировка при превышении
acl is_rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if is_rate_limited
default_backend web_serversfrontend http_front
bind *:80
# Отдельный счётчик для login endpoint
stick-table type ip size 50k expire 30s store http_req_rate(1m)
http-request track-sc1 src if { path_beg /login }
# Блокировка brute force
acl login_rate_limited sc_http_req_rate(1) gt 10
http-request deny deny_status 429 if login_rate_limited
default_backend web_serversfrontend http_front
bind *:80
# Whitelist для мониторинга и внутренних сервисов
acl is_whitelist src 10.0.0.0/8 192.168.0.0/16
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
acl is_rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if is_rate_limited !is_whitelist
default_backend web_serversfrontend http_front
bind *:80
stick-table type ip size 100k expire 30s store http_req_rate(10s),http_req_rate(1m)
http-request track-sc0 src
# Burst limit (короткое окно)
acl burst_limited sc_http_req_rate(0) gt 100
# Average limit (длинное окно)
acl avg_limited sc_http_req_rate(0,1m) gt 30
http-request deny deny_status 429 if burst_limited
http-request deny deny_status 429 if avg_limited
default_backend web_serversfrontend http_front
bind *:80
# SQL injection patterns
acl sql_injection url_param -m regex "(?i)(union|select|insert|update|delete|drop|exec|script)"
acl sql_injection_body body -m regex "(?i)(union|select|insert|update|delete|drop)"
http-request deny deny_status 400 if sql_injection
http-request deny deny_status 400 if sql_injection_body
default_backend web_serversfrontend http_front
bind *:80
# XSS patterns
acl xss_attack url_param -m regex "(?i)(<script|javascript:|onerror=|onload=)"
acl xss_attack_body body -m regex "(?i)(<script|javascript:)"
http-request deny deny_status 400 if xss_attack
http-request deny deny_status 400 if xss_attack_body
# Security headers
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
default_backend web_serversfrontend http_front
bind *:80
# Path traversal patterns
acl path_traversal path_sub ".."
acl path_traversal path_sub "%2e%2e"
acl path_traversal path_sub "%252e"
http-request deny deny_status 400 if path_traversal
default_backend web_serversfrontend http_front
bind *:80
# Блокировка опасных расширений
acl dangerous_ext path_end .php .asp .aspx .jsp .cgi .pl .py .sh .bat .exe
acl dangerous_ext path_end .env .git .htaccess .htpasswd .config
http-request deny deny_status 403 if dangerous_ext
default_backend web_serversfrontend http_front
bind *:80
# Блокировка сканеров и ботов
acl bad_bot hdr_sub(User-Agent) -i -f /etc/haproxy/bad_bots.txt
http-request deny deny_status 403 if bad_bot
default_backend web_serversbad_bots.txt:
scanner
crawler
spider
bot
curl
wget
python-requests
go-http-client
frontend http_front
bind *:80
# Лимит соединений с IP
stick-table type ip size 100k expire 30s store conn_cur,conn_rate(10s)
http-request track-sc0 src
# Блокировка при большом числе соединений
acl conn_limit_exceeded sc_conn_cur(0) gt 50
acl conn_rate_exceeded sc_conn_rate(0) gt 10
http-request deny deny_status 429 if conn_limit_exceeded
http-request deny deny_status 429 if conn_rate_exceeded
default_backend web_serversfrontend http_front
bind *:80
# Ограничение времени на отправку запроса
timeout http-request 5s
# Ограничение размера заголовков
tune.bufsize 16384
tune.maxrewrite 1024
# Rate limiting
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
acl is_rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if is_rate_limited
default_backend web_serversfrontend http_front
bind *:80
# GeoIP блокировка (требует GeoIP базу)
acl blocked_country src -m geoip -f /usr/share/GeoIP/GeoIP.dat CN RU KP
http-request deny deny_status 403 if blocked_country
default_backend web_serversfrontend http_front
bind *:80
# Доверие Cloudflare IP
acl from_cloudflare src -f /etc/haproxy/cloudflare_ips.txt
# Блокировка не-Cloudflare IP для HTTPS
http-request deny deny_status 403 if !from_cloudflare !{ ssl_fc }
# Получение реального IP от Cloudflare
http-request set-header X-Real-IP %[hdr(CF-Connecting-IP)] if from_cloudflare
default_backend web_serversbackend web_servers
# HSTS
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Content Security Policy
http-response set-header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
# Clickjacking protection
http-response set-header X-Frame-Options "SAMEORIGIN"
# MIME sniffing protection
http-response set-header X-Content-Type-Options "nosniff"
# XSS protection
http-response set-header X-XSS-Protection "1; mode=block"
# Referrer Policy
http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
# Permissions Policy
http-response set-header Permissions-Policy "geolocation=(), microphone=(), camera=()"
# Удаление заголовков сервера
http-response del-header X-Powered-By
http-response del-header Server
server web1 192.168.1.10:8080 checkfrontend http_front
bind *:80
# Добавление заголовков для backend
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto %[ssl_fc,iif(https,http)]
http-request set-header X-Request-ID %[uuid()]
default_backend web_serversfrontend admin_front
bind *:80
# Basic auth
userlist admin_users
user admin password $5$salt$hashed_password
user operator password $5$salt$hashed_password
acl is_authenticated http_auth(admin_users)
http-request auth unless is_authenticated
default_backend admin_serversГенерация пароля:
# Создание хэша
mkpasswd -m sha-512frontend api_front
bind *:80
# Проверка JWT токена
acl has_auth hdr(Authorization) -m found
acl valid_jwt hdr(Authorization) -m regex "^Bearer [A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$"
http-request deny deny_status 401 if is_api !has_auth
http-request deny deny_status 401 if is_api !valid_jwt
default_backend api_serversfrontend http_front
bind *:80
# Загрузка blacklist
acl is_blacklisted src -f /etc/haproxy/blacklist_ips.txt
# Логирование
http-request set-header X-Blocked-Reason blacklist if is_blacklisted
http-request deny deny_status 403 if is_blacklisted
default_backend web_serversfrontend admin_front
bind *:80
# Только внутренние IP
acl is_internal src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
http-request deny deny_status 403 if !is_internal
default_backend admin_serversglobal
tune.bufsize 16384
tune.maxrewrite 1024
defaults
log global
mode http
option httplog
option dontlognull
# Таймауты для защиты от Slowloris
timeout http-request 5s
timeout connect 5s
timeout client 30s
timeout server 30s
frontend https_front
bind *:443 ssl crt /etc/haproxy/certs/site.pem
# === Rate Limiting ===
stick-table type ip size 100k expire 30s store http_req_rate(10s),conn_cur,conn_rate(10s)
http-request track-sc0 src
# Connection limits
acl conn_limit_exceeded sc_conn_cur(0) gt 50
acl conn_rate_exceeded sc_conn_rate(0) gt 10
http-request deny deny_status 429 if conn_limit_exceeded
http-request deny deny_status 429 if conn_rate_exceeded
# Request rate limit
acl is_rate_limited sc_http_req_rate(0) gt 100
http-request deny deny_status 429 if is_rate_limited
# === WAF ===
# SQL Injection
acl sql_injection url_param -m regex "(?i)(union|select|insert|update|delete|drop)"
http-request deny deny_status 400 if sql_injection
# XSS
acl xss_attack url_param -m regex "(?i)(<script|javascript:|onerror=)"
http-request deny deny_status 400 if xss_attack
# Path Traversal
acl path_traversal path_sub ".."
http-request deny deny_status 400 if path_traversal
# === Blacklist ===
acl is_blacklisted src -f /etc/haproxy/blacklist_ips.txt
http-request deny deny_status 403 if is_blacklisted
# === Security Headers ===
http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-Content-Type-Options "nosniff"
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header Referrer-Policy "strict-origin-when-cross-origin"
http-response del-header X-Powered-By
http-response del-header Server
# === Request Headers ===
http-request set-header X-Real-IP %[src]
http-request set-header X-Forwarded-Proto https
http-request set-header X-Request-ID %[uuid()]
default_backend web_servers
backend web_servers
# Health check
option httpchk GET /health
http-check expect status 200
server web1 192.168.1.10:8080 check
server web2 192.168.1.11:8080 checkfrontend https_front
# Логирование блокировок
log-format "%ci:%cp [%tr] %ft %b/%s %ST %B %{+Q}r BLOCKED reason=%[var(reason)]"
# Переменная для причины блокировки
http-request set-var(reason) str(rate_limit) if is_rate_limited
http-request set-var(reason) str(sql_injection) if sql_injection
http-request set-var(reason) str(blacklist) if is_blacklistedgroups:
- name: security
rules:
- alert: HAProxyHigh4xxRate
expr: rate(haproxy_frontend_http_responses_total{code="4xx"}[5m]) > 100
for: 5m
labels:
severity: warning
annotations:
summary: "Высокий уровень 4xx ошибок"
- alert: HAProxyHigh429Rate
expr: rate(haproxy_frontend_http_responses_total{code="429"}[5m]) > 50
for: 5m
labels:
severity: critical
annotations:
summary: "Возможна DDoS атака (много 429)"# ✅ Хорошо (сбалансировано)
http_req_rate(10s) gt 100 # 10 RPS
conn_cur gt 50
# ❌ Слишком агрессивно
# http_req_rate(10s) gt 10 # Блокировка легитимных клиентов
# ❌ Слишком мягко
# http_req_rate(10s) gt 1000 # Не защитит от атаки# ✅ Хорошо (конкретные patterns)
acl sql_injection url_param -m regex "(?i)(union|select|insert)"
# ❌ Плохо (слишком общо, много false positives)
# acl sql_injection url_param -m regex "(?i)(select)" # Блокирует нормальные запросы# ✅ Хорошо (полный набор)
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
# ❌ Плохо (неполный набор)
# Только HSTS без других заголовковИзучим troubleshooting: отладка, tcpdump, логи ошибок.
Вопросы ещё не добавлены
Вопросы для этой подтемы ещё не добавлены.