new_functions_and_fixes #1
@@ -116,10 +116,6 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method,
|
|||||||
|
|
||||||
haproxy_cfg.write("\n")
|
haproxy_cfg.write("\n")
|
||||||
|
|
||||||
# HTTPS redirect (global)
|
|
||||||
if https_redirect:
|
|
||||||
haproxy_cfg.write(f" redirect scheme https code 301 if !{{ ssl_fc }}\n")
|
|
||||||
|
|
||||||
# Mode
|
# Mode
|
||||||
haproxy_cfg.write(f" mode {protocol}\n")
|
haproxy_cfg.write(f" mode {protocol}\n")
|
||||||
|
|
||||||
@@ -129,32 +125,28 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method,
|
|||||||
acl_name_sanitized = f"is_{sanitize_name(frontend_hostname)}"
|
acl_name_sanitized = f"is_{sanitize_name(frontend_hostname)}"
|
||||||
haproxy_cfg.write(f" acl {acl_name_sanitized} hdr(host) -i {frontend_hostname}\n")
|
haproxy_cfg.write(f" acl {acl_name_sanitized} hdr(host) -i {frontend_hostname}\n")
|
||||||
|
|
||||||
|
# ===== HTTP-REQUEST RULES (BEFORE REDIRECT) =====
|
||||||
|
|
||||||
if is_no_lb:
|
if is_no_lb:
|
||||||
haproxy_cfg.write(f" http-request set-header X-Forwarded-For %[src]\n")
|
haproxy_cfg.write(f" http-request set-header X-Forwarded-For %[src]\n")
|
||||||
if use_ssl:
|
if use_ssl:
|
||||||
haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto https\n")
|
haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto https\n")
|
||||||
else:
|
else:
|
||||||
haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto http\n")
|
haproxy_cfg.write(f" http-request set-header X-Forwarded-Proto http\n")
|
||||||
|
|
||||||
if del_server_header:
|
|
||||||
haproxy_cfg.write(f" http-response del-header Server\n")
|
|
||||||
else:
|
else:
|
||||||
haproxy_cfg.write(f" balance {lb_method}\n")
|
haproxy_cfg.write(f" balance {lb_method}\n")
|
||||||
|
|
||||||
if forward_for:
|
if forward_for:
|
||||||
haproxy_cfg.write(f" option forwardfor\n")
|
haproxy_cfg.write(f" option forwardfor\n")
|
||||||
|
|
||||||
if del_server_header:
|
|
||||||
haproxy_cfg.write(f" http-response del-header Server\n")
|
|
||||||
|
|
||||||
# DOS protection
|
# DOS protection (BEFORE REDIRECT!)
|
||||||
if is_dos:
|
if is_dos:
|
||||||
haproxy_cfg.write(f" stick-table type ip size 1m expire {ban_duration} store http_req_rate(1m)\n")
|
haproxy_cfg.write(f" stick-table type ip size 1m expire {ban_duration} store http_req_rate(1m)\n")
|
||||||
haproxy_cfg.write(f" http-request track-sc0 src\n")
|
haproxy_cfg.write(f" http-request track-sc0 src\n")
|
||||||
haproxy_cfg.write(f" acl abuse sc_http_req_rate(0) gt {limit_requests}\n")
|
haproxy_cfg.write(f" acl abuse sc_http_req_rate(0) gt {limit_requests}\n")
|
||||||
haproxy_cfg.write(f" http-request silent-drop if abuse\n")
|
haproxy_cfg.write(f" http-request silent-drop if abuse\n")
|
||||||
|
|
||||||
# SQL Injection protection
|
# SQL Injection protection (BEFORE REDIRECT!)
|
||||||
if sql_injection_check:
|
if sql_injection_check:
|
||||||
haproxy_cfg.write(" acl is_sql_injection urlp_reg -i (union|select|insert|update|delete|drop|@@|1=1|`1)\n")
|
haproxy_cfg.write(" acl is_sql_injection urlp_reg -i (union|select|insert|update|delete|drop|@@|1=1|`1)\n")
|
||||||
haproxy_cfg.write(" acl is_long_uri path_len gt 400\n")
|
haproxy_cfg.write(" acl is_long_uri path_len gt 400\n")
|
||||||
@@ -162,19 +154,19 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method,
|
|||||||
haproxy_cfg.write(" acl is_sql_injection2 urlp_reg -i (;|substring|extract|union\\s+all|order\\s+by)\\s+(\\d+|--\\+)\n")
|
haproxy_cfg.write(" acl is_sql_injection2 urlp_reg -i (;|substring|extract|union\\s+all|order\\s+by)\\s+(\\d+|--\\+)\n")
|
||||||
haproxy_cfg.write(f" http-request deny if is_sql_injection or is_long_uri or semicolon_path or is_sql_injection2\n")
|
haproxy_cfg.write(f" http-request deny if is_sql_injection or is_long_uri or semicolon_path or is_sql_injection2\n")
|
||||||
|
|
||||||
# XSS protection
|
# XSS protection (BEFORE REDIRECT!)
|
||||||
if is_xss:
|
if is_xss:
|
||||||
haproxy_cfg.write(" acl is_xss_attack urlp_reg -i (<|>|script|alert|onerror|onload|javascript)\n")
|
haproxy_cfg.write(" acl is_xss_attack urlp_reg -i (<|>|script|alert|onerror|onload|javascript)\n")
|
||||||
haproxy_cfg.write(" acl is_xss_attack_2 urlp_reg -i (<\\s*script\\s*|javascript:|<\\s*img\\s*src\\s*=|<\\s*a\\s*href\\s*=|<\\s*iframe\\s*src\\s*=|\\bon\\w+\\s*=|<\\s*input\\s*[^>]*\\s*value\\s*=|<\\s*form\\s*action\\s*=|<\\s*svg\\s*on\\w+\\s*=)\n")
|
haproxy_cfg.write(" acl is_xss_attack_2 urlp_reg -i (<\\s*script\\s*|javascript:|<\\s*img\\s*src\\s*=|<\\s*a\\s*href\\s*=|<\\s*iframe\\s*src\\s*=|\\bon\\w+\\s*=|<\\s*input\\s*[^>]*\\s*value\\s*=|<\\s*form\\s*action\\s*=|<\\s*svg\\s*on\\w+\\s*=)\n")
|
||||||
haproxy_cfg.write(" acl is_xss_attack_hdr hdr_reg(Cookie|Referer|User-Agent) -i (<|>|script|alert|onerror|onload|javascript)\n")
|
haproxy_cfg.write(" acl is_xss_attack_hdr hdr_reg(Cookie|Referer|User-Agent) -i (<|>|script|alert|onerror|onload|javascript)\n")
|
||||||
haproxy_cfg.write(f" http-request deny if is_xss_attack or is_xss_attack_2 or is_xss_attack_hdr\n")
|
haproxy_cfg.write(f" http-request deny if is_xss_attack or is_xss_attack_2 or is_xss_attack_hdr\n")
|
||||||
|
|
||||||
# Webshells protection
|
# Webshells protection (BEFORE REDIRECT!)
|
||||||
if is_webshells:
|
if is_webshells:
|
||||||
haproxy_cfg.write(" acl blocked_webshell path_reg -i /(cmd|shell|backdoor|webshell|phpspy|c99|kacak|b374k|log4j|log4shell|wsos|madspot|malicious|evil).*\\.php.*\n")
|
haproxy_cfg.write(" acl blocked_webshell path_reg -i /(cmd|shell|backdoor|webshell|phpspy|c99|kacak|b374k|log4j|log4shell|wsos|madspot|malicious|evil).*\\.php.*\n")
|
||||||
haproxy_cfg.write(f" http-request deny if blocked_webshell\n")
|
haproxy_cfg.write(f" http-request deny if blocked_webshell\n")
|
||||||
|
|
||||||
# ===== CUSTOM ACL RULES =====
|
# ===== CUSTOM ACL RULES (BEFORE REDIRECT!) =====
|
||||||
if add_custom_acl and custom_acl_name and custom_acl_value:
|
if add_custom_acl and custom_acl_name and custom_acl_value:
|
||||||
# Write ACL rule based on type
|
# Write ACL rule based on type
|
||||||
if custom_acl_type == 'path_beg':
|
if custom_acl_type == 'path_beg':
|
||||||
@@ -198,6 +190,14 @@ def update_haproxy_config(frontend_name, frontend_ip, frontend_port, lb_method,
|
|||||||
elif custom_acl_action == 'route' and custom_acl_backend:
|
elif custom_acl_action == 'route' and custom_acl_backend:
|
||||||
haproxy_cfg.write(f" use_backend {custom_acl_backend} if {custom_acl_name}\n")
|
haproxy_cfg.write(f" use_backend {custom_acl_backend} if {custom_acl_name}\n")
|
||||||
|
|
||||||
|
# ===== HTTPS REDIRECT (AFTER ALL PROTECTIONS) =====
|
||||||
|
if https_redirect:
|
||||||
|
haproxy_cfg.write(f" redirect scheme https code 301 if !{{ ssl_fc }}\n")
|
||||||
|
|
||||||
|
# ===== HTTP-RESPONSE RULES (AFTER REDIRECT) =====
|
||||||
|
if del_server_header:
|
||||||
|
haproxy_cfg.write(f" http-response del-header Server\n")
|
||||||
|
|
||||||
# ===== BACKEND ROUTING =====
|
# ===== BACKEND ROUTING =====
|
||||||
if acl_name_sanitized:
|
if acl_name_sanitized:
|
||||||
# Jeśli jest hostname, routuj z ACL
|
# Jeśli jest hostname, routuj z ACL
|
||||||
|
|||||||
Reference in New Issue
Block a user