Hi, I have a file, /etc/haproxy/deny_hosts.txt,antiddos
I want to have a first acl:
acl acl_antiddos hdr(Host),map_dom(/etc/haproxy/deny_hosts.txt,antiddos) -m found
use_backend antiddos if acl_antiddos
if a host exists in denyhosts.txt, the frontend forwards to the backend antiddos.
But it isn’t working:
frontend www-h2-https
mode http
maxconn 40000
bind *:443 accept-proxy ssl crt /opt/certs alpn h2,http/1.1
http-request add-header X-Forwarded-Proto https if { ssl_fc }
# acl
acl acl_antiddos hdr(Host),map_dom(/etc/haproxy/deny_hosts.txt,antiddos) -m found
acl acl_panel_h2 hdr(host) -m reg -i ^app.[^\.]*\.com\.br$ ^app-[^\.].[^\.]*\.com\.br$ !^api.[^\.]*\.com\.br$ !^api-[^\.].[^\.]*\.com\.br$
acl acl_api_h2 hdr(Host) -m reg -i ^api.[^\.]*\.com\.br$ ^api-[^\.].[^\.]*\.com\.br$ !^app\.[^\.]*\.com\.br$ !^app-[^\.].[^\.]*\.com\.br$
acl acl_store_h2 hdr(Host) -m reg -i ^[^\.]+\.lojaintegrada\.com\.br$ !^app\.[^\.]*\.com\.br$ !^app-[^\.].[^\.]*\.com\.br$ !^api.[^\.]*\.com\.br$ !^api-[^\.].[^\.]*\.com\.br$
#### Only add IP to table #####
http-request track-sc0 src table stores-h2-backend
http-request track-sc1 src table panel-h2-backend if acl_panel_h2
#### Block IP based on req/s in each table ####
# Limit 5 req/s, table stores number of requests over 10 seconds, limit arrow to 50.
# for i in {0..30}; do curl -s -o /dev/null -w "%{http_code}\n" "https://DOMINIO" | ts ; done
# Throttling IP.
http-request deny deny_status 429 if { sc_http_req_rate(0,stores-h2-backend) gt 50 } or { sc_http_req_rate(1,panel-h2-backend) gt 50 }
# redirect
# Backend AntiDDoS
use_backend antiddos if acl_antiddos
#
use_backend api-h2-backend if acl_api_h2
use_backend panel-h2-backend if acl_panel_h2
# send to http2 backend if speaks alpn
use_backend stores-h2-backend if { ssl_fc_alpn -i h2 } or acl_store_h2
# or send to default backend
default_backend store-backend
Can someone help me?
1 post - 1 participant