> So since haproxy has no business in the game of decoding URIs, it simply > ignores them. However if you want to add a bit of control there, you can > easily do it with some regex : > > acl bad-pct uri_reg -i %[^0-9a-F] %[0-9a-F][^0-9a-F] > http-request deny if bad-pct > > But I still think it's not the best place to do this and maybe you need a > WAF instead (which could happily be load balanced by haproxy since it will > not mangle the requests). > > Regards, > Willy
For those who missed it, here are 2 articles with HAProxy load-balancing WAF: HAProxy and apache / modsecurity: http://blog.exceliance.fr/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/ HAProxy and nginx / naxsi: http://blog.exceliance.fr/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/ cheers
