bind 1.2.3.4:80 name http mode http log global option httplog timeout client 25s maxconn 10000
# DDOS protection # Use General Purpose Couter (gpc) 0 in SC1 as a global abuse counter # Monitors the number of request sent by an IP over a period of 10 seconds stick-table type ip size 1m expire 1m store gpc0,http_req_rate(10s),http_err_rate(10s) tcp-request connection track-sc1 src tcp-request connection reject if { sc1_get_gpc0 gt 0 } # Abuser means more than 100reqs/10s acl abuse sc1_http_req_rate(ft_web) ge 100 acl flag_abuser sc1_inc_gpc0(ft_web) tcp-request content reject if abuse flag_abuser
acl static path_beg /static/ /dokuwiki/images/ acl no_waf nbsrv(bk_waf) eq 0 acl waf_max_capacity queue(bk_waf) ge 1 # bypass WAF farm if no WAF available use_backend bk_web if no_waf # bypass WAF farm if it reaches its capacity use_backend bk_web if static waf_max_capacity default_backend bk_waf
# WAF farm where users' traffic is routed first backend bk_waf balance roundrobin mode http log global option httplog option forwardfor header X-Client-IP option httpchk HEAD /waf_health_check HTTP/1.0
# If the source IP generated 10 or more http request over the defined period, # flag the IP as abuser on the frontend acl abuse sc1_http_err_rate(ft_waf) ge 10 acl flag_abuser sc1_inc_gpc0(ft_waf) tcp-request content reject if abuse flag_abuser
# Specific WAF checking: a DENY means everything is OK http-check expect status 403 timeout server 25s default-server inter 3s rise 2 fall 3 server waf1 10.0.0.2:80 maxconn 100 weight 10 check
# Traffic secured by the WAF arrives here frontend ft_web bind 10.0.0.1:81 name http mode http log global option httplog timeout client 25s maxconn 1000 # route health check requests to a specific backend to avoid graph pollution in ALOHA GUI use_backend bk_waf_health_check if { path /waf_health_check } default_backend bk_web
# application server farm backend bk_web balance roundrobin mode http log global option httplog option forwardfor cookie SERVERID insert indirect nocache default-server inter 3s rise 2 fall 3 option httpchk HEAD / # get connected on the application server using the user ip # provided in the X-Client-IP header setup by ft_waf frontend source 0.0.0.0 usesrc hdr_ip(X-Client-IP) timeout server 25s server server1 10.0.0.3:80 maxconn 100 weight 10 cookie server1 check
# backend dedicated to WAF checking (to avoid graph pollution) backend bk_waf_health_check balance roundrobin mode http log global option httplog option forwardfor default-server inter 3s rise 2 fall 3 timeout server 25s server server1 10.0.0.3:80 maxconn 100 weight 10 check