-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathhaproxy.cfg
More file actions
77 lines (63 loc) · 3.82 KB
/
Copy pathhaproxy.cfg
File metadata and controls
77 lines (63 loc) · 3.82 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# https://www.haproxy.com/documentation/hapee/latest/onepage/#home
global
log stdout format raw local0
tune.bufsize 65536 # 64KB - increased for WAF body inspection
stats socket /tmp/haproxy.sock mode 660 level admin
stats timeout 30s
lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
defaults
log global
option httplog
option http-buffer-request
timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
frontend test
mode http
bind *:9090
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
# ACL for body size limit (100000 bytes = ~100KB) - adjust here to change limit globally
# Note spop protocol has limitations on the size of the message, so altering this value will not ensure the whole
# body is sent for processing but should be enough to prevent overwhelming the SPOA bouncer.
acl body_within_limit req.body_size -m int le 51200 # 50KB - stay safely under SPOE frame limit
## If you don't want to render any content, you can use the following line
# tcp-request content reject if !{ var(txn.crowdsec.remediation) -m str "allow" }
## Drop ban requests before http handler is called
# tcp-request content reject if { var(txn.crowdsec.remediation) -m str "ban" }
# Send HTTP group conditionally based on body size
# TCP handler already checked IP (triggered on client session), HTTP handler will use that remediation
# Send group with body when body size <= limit (or no body present)
http-request send-spoe-group crowdsec crowdsec-http-body if body_within_limit || !{ req.body_size -m found }
# Send group without body when body exists and size > limit
http-request send-spoe-group crowdsec crowdsec-http-no-body if !body_within_limit { req.body_size -m found }
## Set a custom header on the request for upstream services to use
http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)] if { var(txn.crowdsec.remediation) -m found }
## Set a custom header on the request for upstream services to use
http-request set-header X-Crowdsec-IsoCode %[var(txn.crowdsec.isocode)] if { var(txn.crowdsec.isocode) -m found }
## Handle 302 redirect for successful captcha validation (redirect to current request URL)
http-request redirect code 302 location %[url] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
## Call lua script only for ban and captcha remediations (performance optimization)
http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
## Handle captcha cookie management via HAProxy (new approach)
## Set captcha cookie when SPOA provides captcha_status (pending or valid)
http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
use_backend test_backend
backend test_backend
mode http
server s1 whoami:2020
backend crowdsec-spoa
mode tcp
timeout connect 2s
timeout server 60s
server s2 spoa:9000