We use HAProxy in HTTP mode as a front-end to our middleware. The middleware expects only HTTP packets. Anything that is not an HTTP packet can be discarded by HAProxy. We do get quite a number of packets every hour from malicious sites trying to crawl for various services that they can hack. Sometimes such malicious packets are not even HTTP at all, but rather some binary data. When the incoming packet is not valid HTTP, then we want HAProxy to simply silently close the connection.
The question is how can I create an ACL that detects if a packet is HTTP or not? Is it just as simple as:
frontend middleware
mode http
acl is_http req.proto -m end_str “HTTP/1.”
http-request silent-drop if !is_http
Since the frontend has mode=http, what does HAProxy do when it receives a packet of garbled binary data that can’t be interpreted as HTTP? Does it still process the ACL and other rules?
2 posts - 2 participants