|
|
|
@ -47,6 +47,9 @@ frontend http-in |
|
|
|
|
|
|
|
|
|
# Clearnet http (you'll have to figure out https yourself) |
|
|
|
|
bind *:80 |
|
|
|
|
# bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h3,h2,http/1.1 |
|
|
|
|
# bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem |
|
|
|
|
# http-response set-header alt-svc "h3=\":443\";ma=900;" |
|
|
|
|
|
|
|
|
|
# Or instead, for Tor, to use circuit IDs as "IP": |
|
|
|
|
#bind 127.0.0.1:80 accept-proxy |
|
|
|
@ -71,13 +74,13 @@ frontend http-in |
|
|
|
|
|
|
|
|
|
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this. |
|
|
|
|
http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST } |
|
|
|
|
http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 } |
|
|
|
|
http-request tarpit if { sc_http_req_rate(0) gt 1 } |
|
|
|
|
# http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 } |
|
|
|
|
# http-request tarpit if { sc_http_req_rate(0) gt 1 } |
|
|
|
|
|
|
|
|
|
# acl for lua check whitelisted IPs/subnets and some excluded paths |
|
|
|
|
acl is_excluded src,map_ip(/etc/haproxy/map/whitelist.map) -m found |
|
|
|
|
acl is_excluded src -m found -f /etc/haproxy/map/crawler-whitelist.map |
|
|
|
|
acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more |
|
|
|
|
# acl is_excluded src -m found -f /etc/haproxy/map/crawler-whitelist.map |
|
|
|
|
# acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more |
|
|
|
|
|
|
|
|
|
# acl ORs for when ddos_mode_enabled |
|
|
|
|
acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found |
|
|
|
@ -126,7 +129,7 @@ frontend http-in |
|
|
|
|
acl can_cache var(txn.path) -i -m end .png .jpg .jpeg .jpe .ico .webmanifest .xml .apng .bmp .webp .pjpeg .jfif .gif .mp4 .webm .mov .mkv .svg .m4a .aac .flac .mp3 .ogg .wav .opus .txt .pdf .sid |
|
|
|
|
|
|
|
|
|
# optional alt-svc header (done after cache so not set in cached responses |
|
|
|
|
http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)] |
|
|
|
|
# http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)] |
|
|
|
|
|
|
|
|
|
# header checks for no caching |
|
|
|
|
# acl auth_cookie_set res.hdr(Set-Cookie),lower -m found |
|
|
|
|