Tuesday, November 16, 2021

[SOLVED] How to setup HAProxy to drop connection on matching query string key value?

Issue

I have installed HAProxy 1.5.18 on a Centos 7.

In the /etc/haproxy/haproxy.cfg I have following line:

frontend free_api
        bind *:80
        stats uri /haproxy?stats
        mode http
        option forwardfor         
        acl key1 urlp(key) 12345
        acl key2 urlp(key) 6789

        http-request deny if key1
        http-request deny if key2

       # use_backend api if api
 default_backend api

Right now the URL access gets denied for query string key with a matching value of 12345 or 6789. HAProxy returns a 403 Forbidden status code back.

What I am looking is to simply drop the connection so nothing is returned back to user? How to do that in HAProxy?

Thanks.


Solution

use haproxy v1.6 and higher, and directive silent-drop

http-request silent-drop if key1

"silent-drop" : this stops the evaluation of the rules and makes the client-facing connection suddenly disappear using a system-dependent way that tries to prevent the client from being notified. The effect it then that the client still sees an established connection while there's none on HAProxy. The purpose is to achieve a comparable effect to "tarpit" except that it doesn't use any local resource at all on the machine running HAProxy. It can resist much higher loads than "tarpit", and slow down stronger attackers. It is important to understand the impact of using this mechanism. All stateful equipment placed between the client and HAProxy (firewalls, proxies, load balancers) will also keep the established connection for a long time and may suffer from this action. On modern Linux systems running with enough privileges, the TCP_REPAIR socket option is used to block the emission of a TCP reset. On other systems, the socket's TTL is reduced to 1 so that the TCP reset doesn't pass the first router, though it's still delivered to local networks. Do not use it unless you fully understand how it works.



Answered By - nuster cache server