-
Notifications
You must be signed in to change notification settings - Fork 11
HAProxy configuration
major edited this page Aug 20, 2019
·
1 revision
You can use Darwin to enhance HAProxy, turning it into a firewall that uses machine learning solutions to protect the servers from malicious requests.
To do so, you will need an HAProxy configuration file, which will connect to an SPOA (Stream Processing Offload Agent) from a SPOE (Engine) using the SPOP (Protocol).
Here is an example of HAProxy configuration file:
global
maxconn 20000
ulimit-n 41000
log 127.0.0.1 local0
uid 0
gid 0
chroot /var/empty
nbproc 4
daemon
frontend test-proxy-fr
bind *:8005
mode http
log global
option httplog
log 127.0.0.1 len 2000 local0
log-format "{ \"bytes_read\": \"%B\", \"captured_request_cookie\": \"%{+E}CC\", \"captured_response_cookie\": \"%{+E}CS\", \"hostname\": \"%{+E}H\", \"http_method\": \"%{+E}HM\", \"http_path\": \"%{+E}HP\", \"http_get_params\": \"%{+E}HQ\", \"http_request_uri\": \"%{+E}HU\", \"http_version\": \"%{+E}HV\", \"unique_id\": \"%{+E}ID\", \"status_code\": %ST, \"gmt_date_time\": \"%{+E}T\", \"http_request_time\": %Ta, \"http_idle_time\": %Ti, \"handshake_time\": %Th, \"local_date_time\": \"%{+E}Tl\", \"http_receive_time\": %TR, \"http_response_time\": %Tr, \"unix_timestamp\": %Ts, \"bytes_received\": %U, \"active_conn\": %ac, \"backend_name\": \"%{+E}b\", \"beconn\": %bc, \"backend_ip\": \"%bi\", \"backend_port\": \"%bp\", \"backend_queue\": %bq, \"src_ip\": \"%ci\", \"src_port\": %cp, \"frontend_name\": \"%{+E}f\", \"feconn\": %fc, \"frontend_ip\": \"%fi\", \"frontend_port\": %fp, \"pid\": %pid, \"http_request\": \"%{+E}r\", \"retries\": %rc, \"request_count\": %rt, \"server_name\": \"%{+E}s\", \"srvconn\": %sc, \"server_ip\": \"%si\", \"server_port\": \"%sp\", \"server_queue\": %sq, \"date_time\": \"%t\", \"http_date_time\": \"%tr\", \"termination_state\": \"%ts\", \"decision\": %[var(sess.decision.ip_score)]}"
maxconn 8000
timeout client 30s
http-request set-var(proc.user_agent) req.fhdr(user-agent)
filter spoe engine user_agent config spoe-user_agent.conf
http-request deny if { var(sess.user_agent.ip_score) -m int gt 20 }
default_backend awesome-website
backend awesome-website
mode http
timeout connect 5s
timeout server 5s
retries 2
server awesome-website-1 10.59.10.20:80 check
backend user_agent-backend
mode tcp
timeout server 1m
timeout connect 5s
server user_agent-srv 10.59.10.28:12345 check maxconn 5