On 28 Jul 2017 5:41 pm, "Charlie Elgholm" <[email protected]> wrote:
Hi Folks, Either I'm too stupid, or it's because it's Friday.... Can you tarpit/reject (or other action) based on a response from the backend? You should be able to, right? Like this: tcp-response content tarpit/reject if res.hdr(X-Tarpit-This) Can someone explain this to me? (Free beer.) I have a fairly complex ruleset on my backend server, written in Oracle PL/SQL, which monitors Hack- or DoS-attempts, and I would love to tarpit some requests on the frontend (by haproxy) based on something that happens on my backend. As I do now I return a 503 response from the server, and iptable-block those addresses for a while. But since they see the 503 response they'll return at a later date and try again. I would like the connection to just die (drop, no response at all) or tarpit (long timeout, so they give up). I suppose/hope they'll eventually remove my IP from their databases. I'm guessing a tarpit is smarter than a reject, since the reject will indicate to the attacker that somethings exist behind the server IP. An iptable "drop" would be preferable, but I guess that's a little late since haproxy has already acknowledged the connection to the attacker. -- Regards Charlie Elgholm Brightly AB Good example of delay with lua: http://godevops.net/2015/06/24/adding-random-delay-specific-http-requests-haproxy-lua/
