ajout de http cats (avec adaptation selinux en parallèle)
This commit is contained in:
+43
-23
@@ -1,7 +1,7 @@
|
||||
global
|
||||
lua-load /etc/haproxy/cors/cors.lua
|
||||
#log /dev/log local0
|
||||
#log /dev/log local1 notice
|
||||
log /dev/log local0
|
||||
log /dev/log local1 notice
|
||||
log 127.0.0.1 local2
|
||||
log-send-hostname
|
||||
chroot /var/lib/haproxy
|
||||
@@ -35,12 +35,6 @@ global
|
||||
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
|
||||
|
||||
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
#ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
#ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
#ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
|
||||
defaults
|
||||
log global
|
||||
@@ -52,13 +46,16 @@ defaults
|
||||
timeout server 600s
|
||||
timeout http-request 5s
|
||||
option http-buffer-request
|
||||
# errorfile 400 /etc/haproxy/errors/400.http
|
||||
# errorfile 403 /etc/haproxy/errors/403.http
|
||||
# errorfile 408 /etc/haproxy/errors/408.http
|
||||
# errorfile 500 /etc/haproxy/errors/500.http
|
||||
# errorfile 502 /etc/haproxy/errors/502.http
|
||||
# errorfile 503 /etc/haproxy/errors/503.http
|
||||
# errorfile 504 /etc/haproxy/errors/504.http
|
||||
|
||||
|
||||
http-errors kitties
|
||||
errorfile 400 /etc/haproxy/http-cat-errors/400.http
|
||||
errorfile 403 /etc/haproxy/http-cat-errors/403.http
|
||||
errorfile 408 /etc/haproxy/http-cat-errors/408.http
|
||||
errorfile 500 /etc/haproxy/http-cat-errors/500.http
|
||||
errorfile 502 /etc/haproxy/http-cat-errors/502.http
|
||||
errorfile 503 /etc/haproxy/http-cat-errors/503.http
|
||||
errorfile 504 /etc/haproxy/http-cat-errors/504.http
|
||||
|
||||
userlist admin-ghost
|
||||
group is-admin
|
||||
@@ -95,6 +92,18 @@ frontend https
|
||||
http-request track-sc0 src table per_ip_rates
|
||||
http-request silent-drop if { sc_http_req_rate(0) gt 100 }
|
||||
|
||||
# config httpcats
|
||||
errorfiles kitties
|
||||
http-response return status 400 default-errorfiles if { status 400 }
|
||||
http-response return status 401 default-errorfiles if { status 401 }
|
||||
http-response return status 403 default-errorfiles if { status 403 }
|
||||
http-response return status 404 default-errorfiles if { status 404 }
|
||||
http-response return status 408 default-errorfiles if { status 408 }
|
||||
http-response return status 500 default-errorfiles if { status 500 }
|
||||
http-response return status 502 default-errorfiles if { status 502 }
|
||||
http-response return status 503 default-errorfiles if { status 503 }
|
||||
http-response return status 504 default-errorfiles if { status 504 }
|
||||
|
||||
## config antiDDOS
|
||||
# Suivi du taux de requêtes par IP
|
||||
stick-table type ip size 1m expire 10m store http_req_rate(10s)
|
||||
@@ -200,10 +209,6 @@ backend boudoir-backend
|
||||
|
||||
# Deny /ghost/ hors IP white
|
||||
http-request deny if ghost_path !is_whitelisted_full
|
||||
|
||||
# Auth basique pour /ghost/ (toujours demandée si pas IP white, mais safe)
|
||||
# http-request auth realm "Ghost Admin" unless admin_auth if ghost_path
|
||||
# Bloque /ghost/ hors votre IP (sécurisé, simple)
|
||||
server boudoir 192.168.1.57:2368 check
|
||||
|
||||
|
||||
@@ -238,15 +243,30 @@ backend hass-backend
|
||||
|
||||
backend cms
|
||||
#server cms 192.168.1.101:80
|
||||
acl ghost_path path_beg /ghost/
|
||||
acl is_whitelisted src 82.67.3.126/32
|
||||
acl is_lan src 192.168.1.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
|
||||
acl is_lan2 src 192.168.2.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
|
||||
acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24 # Combine
|
||||
acl admin_auth http_auth_group(admin-ghost) is-admin
|
||||
|
||||
# Deny /ghost/ hors IP white
|
||||
http-request deny if ghost_path !is_whitelisted_full
|
||||
server cms 192.168.1.250:2369
|
||||
|
||||
backend cms2
|
||||
#mode http
|
||||
acl ghost_path path_beg /ghost/
|
||||
acl is_whitelisted src 82.67.3.126/32
|
||||
acl is_lan src 192.168.1.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
|
||||
acl is_lan2 src 192.168.2.0/24 # Plage LAN (adaptez 192.168.1.0/24 si précis)
|
||||
acl is_whitelisted_full src 82.67.3.126/32 192.168.1.0/24 192.168.2.0/24 # Combine
|
||||
acl admin_auth http_auth_group(admin-ghost) is-admin
|
||||
|
||||
# Deny /ghost/ hors IP white
|
||||
http-request deny if ghost_path !is_whitelisted_full
|
||||
|
||||
server ghost_server 192.168.1.55:2368
|
||||
#http-request set-header X-Forwarded-Proto https
|
||||
#http-request set-header Host %[hdr(host)]
|
||||
#http-request set-header X-Real-IP %[src]
|
||||
#http-request set-header X-Forwarded-For %[src]
|
||||
|
||||
backend mattermost
|
||||
server mattermost 192.168.1.112:8065
|
||||
|
||||
Reference in New Issue
Block a user