Hi Team,
I am new to HAProxy ACL and following below blog to create a rule to have
Application safe from DDOS.
http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/
===
frontend ft_waf
bind 192.168.10.2:80 name http
mode http
log global
option httplog
timeout client 25s
maxconn 10000
stick-table type ip size 1m expire 1m store
gpc0,http_req_rate(10s),http_err_rate(10s)
tcp-request connection track-sc1 src
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
# Abuser means more than 100reqs/10s
acl abuse sc1_http_req_rate(*ft_web*) ge 100
acl flag_abuser sc1_inc_gpc0(*ft_web*)
tcp-request content reject if abuse flag_abuser
default_backend bk_waf
#When I am using ft_web, I am getting
[ALERT] 193/155117 (6404) : parsing [/etc/haproxy/haproxy.cfg:65] : unable
to find table '*ft_web*' referenced in arg 1 of ACL keyword
'sc1_http_req_rate' in proxy '*ft_web*'.
Once I changed it to ft_waf *(which I think should be because we need acl
on Frontend which is serving public traffic)*, I am getting below Warning:
Starting haproxy: [WARNING] 193/162102 (6657) : parsing acl keyword
'sc1_inc_gpc0(ft_waf)' :
no pattern to match against were provided, so this ACL will never match.
If this is what you intended, please add '--' to get rid of this warning.
If you intended to match only for existence, please use '-m found'.
If you wanted to force an int to match as a bool, please use '-m bool'.
# WAF farm where users' traffic is routed first
backend bk_waf
balance roundrobin
mode http
log global
option httplog
option forwardfor header X-Client-IP
option httpchk HEAD /waf_health_check HTTP/1.0
# If the source IP generated 10 or more http request over the defined
period,
# flag the IP as abuser on the frontend
acl abuse sc1_http_err_rate(*ft_waf*) ge 10
acl flag_abuser sc1_inc_gpc0(*ft_waf*)
tcp-request content reject if abuse flag_abuser
# Specific WAF checking: a DENY means everything is OK
http-check expect status 403
timeout server 25s
default-server inter 3s rise 2 fall 3
server waf1 192.168.10.15:81 maxconn 100 weight 10 check
server waf2 192.168.10.16:81 maxconn 100 weight 10 check
frontend ft_web
bind 192.168.10.2:81 name http
mode http
log global
option httplog
timeout client 25s
maxconn 1000
# route health check requests to a specific backend to avoid graph
pollution in ALOHA GUI
use_backend bk_waf_health_check if { path /waf_health_check }
default_backend bk_web
====
Please suggest as what is wrong here.
*Best Regards,*
*__________________________________________*
*Yogesh Sharma*
I am new to HAProxy ACL and following below blog to create a rule to have
Application safe from DDOS.
http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/
===
frontend ft_waf
bind 192.168.10.2:80 name http
mode http
log global
option httplog
timeout client 25s
maxconn 10000
stick-table type ip size 1m expire 1m store
gpc0,http_req_rate(10s),http_err_rate(10s)
tcp-request connection track-sc1 src
tcp-request connection reject if { sc1_get_gpc0 gt 0 }
# Abuser means more than 100reqs/10s
acl abuse sc1_http_req_rate(*ft_web*) ge 100
acl flag_abuser sc1_inc_gpc0(*ft_web*)
tcp-request content reject if abuse flag_abuser
default_backend bk_waf
#When I am using ft_web, I am getting
[ALERT] 193/155117 (6404) : parsing [/etc/haproxy/haproxy.cfg:65] : unable
to find table '*ft_web*' referenced in arg 1 of ACL keyword
'sc1_http_req_rate' in proxy '*ft_web*'.
Once I changed it to ft_waf *(which I think should be because we need acl
on Frontend which is serving public traffic)*, I am getting below Warning:
Starting haproxy: [WARNING] 193/162102 (6657) : parsing acl keyword
'sc1_inc_gpc0(ft_waf)' :
no pattern to match against were provided, so this ACL will never match.
If this is what you intended, please add '--' to get rid of this warning.
If you intended to match only for existence, please use '-m found'.
If you wanted to force an int to match as a bool, please use '-m bool'.
# WAF farm where users' traffic is routed first
backend bk_waf
balance roundrobin
mode http
log global
option httplog
option forwardfor header X-Client-IP
option httpchk HEAD /waf_health_check HTTP/1.0
# If the source IP generated 10 or more http request over the defined
period,
# flag the IP as abuser on the frontend
acl abuse sc1_http_err_rate(*ft_waf*) ge 10
acl flag_abuser sc1_inc_gpc0(*ft_waf*)
tcp-request content reject if abuse flag_abuser
# Specific WAF checking: a DENY means everything is OK
http-check expect status 403
timeout server 25s
default-server inter 3s rise 2 fall 3
server waf1 192.168.10.15:81 maxconn 100 weight 10 check
server waf2 192.168.10.16:81 maxconn 100 weight 10 check
frontend ft_web
bind 192.168.10.2:81 name http
mode http
log global
option httplog
timeout client 25s
maxconn 1000
# route health check requests to a specific backend to avoid graph
pollution in ALOHA GUI
use_backend bk_waf_health_check if { path /waf_health_check }
default_backend bk_web
====
Please suggest as what is wrong here.
*Best Regards,*
*__________________________________________*
*Yogesh Sharma*