I recently switched to HAProxy 3.0.11 (-9e587df) on a OpenBSD System, version 7.7. I use HA to switch between hosts but most importantly also to filter out bad traffic. Most of it works fine: Requests that are for sure with bad intent lead to a TCP reject. Among those are also request with query parameters, example “GET /?dns…” but also things like “GET /?@zdi/Powershell”. Problem is that a few of these requests still get through. When I send them with my browser, HA rejects (closes) the connection immediately. I have not understood how these requests still make their way to my servers. I reject if “?” follows “/” (the web root) or “/index.html”
Part of my configuration:
acl defpath path / /index.html
acl qstr query -m found
tcp-request inspect-delay 10s
tcp-request content reject if qstr defpat
Rest is not of importance, just the usual stuff and a few acl to reject if somebody probes for example for Wordpress or “admin” etc.
1 post - 1 participant