Issue
I have installed HAProxy 1.5.18 on a Centos 7.
In the /etc/haproxy/haproxy.cfg I have following line:
frontend free_api
bind *:80
stats uri /haproxy?stats
mode http
option forwardfor
acl key1 urlp(key) 12345
acl key2 urlp(key) 6789
http-request deny if key1
http-request deny if key2
# use_backend api if api
default_backend api
Right now the URL access gets denied for query string key with a matching value of 12345 or 6789. HAProxy returns a 403 Forbidden status code back.
What I am looking is to simply drop the connection so nothing is returned back to user? How to do that in HAProxy?
Thanks.
Solution
use haproxy v1.6 and higher, and directive silent-drop
http-request silent-drop if key1
"silent-drop" : this stops the evaluation of the rules and makes the client-facing connection suddenly disappear using a system-dependent way that tries to prevent the client from being notified. The effect it then that the client still sees an established connection while there's none on HAProxy. The purpose is to achieve a comparable effect to "tarpit" except that it doesn't use any local resource at all on the machine running HAProxy. It can resist much higher loads than "tarpit", and slow down stronger attackers. It is important to understand the impact of using this mechanism. All stateful equipment placed between the client and HAProxy (firewalls, proxies, load balancers) will also keep the established connection for a long time and may suffer from this action. On modern Linux systems running with enough privileges, the TCP_REPAIR socket option is used to block the emission of a TCP reset. On other systems, the socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first router, though it's still delivered to local networks. Do not use it unless you fully understand how it works.
Answered By - nuster cache server