haproxy
*******

mode http
=========

Bad IP
------

You may choose to

* drop the traffic at the firewall level
* reject the traffic at the firewall level
* return an "HTTP 403 Forbidden" error after some time (tarpit)
* return an "HTTP 403 Forbidden" error

.. code-block::

        acl bad_ip src 80.94.95.0/24
        timeout tarpit 10s
        http-request tarpit deny_status 403 if bad_ip



Dealing with HTTP/1.0
---------------------

.. code-block::

        http-request deny if HTTP_1.0

or better

.. code-block::

        http-request deny unless HTTP_2.0 || HTTP_1.1

Filter hostname
---------------

.. code-block::

        acl is_goodhostname hdr(host) -i -m reg ^(autoconfig|autodiscover)\..+(|:80)$
        http-request deny unless is_goodhostname


Filter path
-----------

.. code-block::

        acl good_path path_beg -i /Autodiscover/
        http-request deny unless good_path


Dealing with obsolete navigator
-------------------------------

.. code-block::

        http-request redirect location https://www.firefox.com/ if { hdr(user-agent) -m reg ^.*Firefox\/[0-9][0-9]\..*$ } !{ hdr(user-agent) -m sub GoogleImageProxy }
        http-request redirect location https://www.google.com/chrome/ if { hdr(user-agent) -m reg ^.*Chrome\/[0-9][0-9]\..*$ }


Bad bot
-------

.. code-block::

        acl is-bad_agent hdr(user-agent) -m sub -m reg -i -f /etc/haproxy/bad_bot.txt
        http-request deny if is-bad_agent

Rate-limiting
-------------

In the following configuration, I have set a limit to the number of POST requests to limit the number of authentication per IP.
It's not perfect as it counts the number of POST requests and not the number of failed authentication.

.. code-block::

        acl path_rdweb path_beg -i /RDWeb/
        # Define a stick-table to track POST requests per IP
        stick-table type ip size 100k expire 30m store http_req_rate(1m)
        # Track POST requests for each source IP
        http-request track-sc0 src if is_post path_rdweb
        # Deny requests if the rate exceeds 10 POSTs per minute
        acl too_many_posts sc_http_req_rate(0) gt 10
        http-request deny deny_status 429 if too_many_posts


proof-of-work (PoW) and Anubis
------------------------------

https://github.com/TecharoHQ/anubis/issues/977

Headers
-------

It's possible to forward some information about the connexion.

.. code-block::

	http-request set-header X-Forwarded-Proto https
        http-request set-header X-Forwarded-For    %[src]

More information can be forwarded but ony forward the information you need.

.. code-block::

        http-request set-header X-Real-IP          %[src]
        http-request set-header X-Forwarded-For    %[src]
        http-request set-header X-Forwarded-Method %[method]
        http-request set-header X-Forwarded-Proto  %[var(req.scheme)]
        http-request set-header X-Forwarded-Port   %[dst_port]
        http-request set-header X-Forwarded-Host   %[req.hdr(Host)]
        http-request set-header X-Forwarded-URI    %[path]%[var(req.questionmark)]%[query]
	http-request set-header X-SSL-Cipher    %[ssl_fc_cipher]
	http-request set-header X-SSL-SessionID %[ssl_fc_session_id,hex]
	http-request set-header X-SSL-SNI       %[ssl_fc_sni]
	http-request set-header X-SSL-Version   %[ssl_fc_protocol]

If the client authenticates via certificate, you can also consider

.. code-block::

        http-request set-header X-SSL-Client-Verify    %[ssl_c_verify]
        http-request set-header X-SSL-Client-DN        %{+Q}[ssl_c_s_dn]
        http-request set-header X-SSL-Client-CN        %{+Q}[ssl_c_s_dn(cn)]
        http-request set-header X-SSL-Issuer           %{+Q}[ssl_c_i_dn]
        http-request set-header X-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
        http-request set-header X-SSL-Client-NotAfter  %{+Q}[ssl_c_notafter]

https://en.wikipedia.org/wiki/List_of_HTTP_header_fields


Proxy
-----

.. code-block::

        acl src-trusted_proxies src -f /etc/haproxy/trusted_proxies.src.acl
        http-request del-header X-Forwarded-For if !src-trusted_proxies
        acl hdr-xff_exists req.hdr(X-Forwarded-For) -m found
        http-request set-header X-Forwarded-For %[src] if !hdr-xff_exists


HTTPS
-----

.. code-block::

        bind 172.18.1.146:443 name admin ssl ssl-min-ver TLSv1.2 crt /etc/pki/tls/private/wildcard.globalsp.com_haproxy.pem


HSTS
^^^^

.. code-block::

        http-after-response set-header Strict-Transport-Security max-age=63072000;\ includeSubDomains;\ preload 


Secure cookie
^^^^^^^^^^^^^

.. code-block::

        http-response replace-header Set-Cookie ^((?:.(?!\ [Ss]ecure))*)$ \1;\ Secure


mode tcp with SSL connexion
===========================

To reject TLS 1.1 and lower

.. code-block::

        tcp-request inspect-delay 5s
        tcp-request content set-var(sess.ssl_sni) req.ssl_sni
        tcp-request content accept if { req.ssl_hello_type 1 }
        tcp-request content reject if { req.ssl_ver lt 3.3 }