diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:18:05 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:18:05 +0000 |
commit | b46aad6df449445a9fc4aa7b32bd40005438e3f7 (patch) | |
tree | 751aa858ca01f35de800164516b298887382919d /examples/option-http_proxy.cfg | |
parent | Initial commit. (diff) | |
download | haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.tar.xz haproxy-b46aad6df449445a9fc4aa7b32bd40005438e3f7.zip |
Adding upstream version 2.9.5.upstream/2.9.5
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'examples/option-http_proxy.cfg')
-rw-r--r-- | examples/option-http_proxy.cfg | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/examples/option-http_proxy.cfg b/examples/option-http_proxy.cfg new file mode 100644 index 0000000..8b28f67 --- /dev/null +++ b/examples/option-http_proxy.cfg @@ -0,0 +1,54 @@ +# +# demo config for Proxy mode +# + +global + maxconn 20000 + ulimit-n 16384 + log 127.0.0.1 local0 + uid 200 + gid 200 + chroot /var/empty + daemon + +frontend test-proxy + bind 192.168.200.10:8080 + mode http + log global + option httplog + option dontlognull + maxconn 8000 + timeout client 30s + + # layer3: Valid users + acl allow_host src 192.168.200.150/32 + http-request deny if !allow_host + + # layer7: prevent private network relaying + acl forbidden_dst url_ip 192.168.0.0/24 + acl forbidden_dst url_ip 172.16.0.0/12 + acl forbidden_dst url_ip 10.0.0.0/8 + http-request deny if forbidden_dst + + default_backend test-proxy-srv + + +backend test-proxy-srv + mode http + timeout connect 5s + timeout server 5s + retries 2 + + # layer7: Only GET method is valid + acl valid_method method GET + http-request deny if !valid_method + + # take IP address from URL's authority + # and drop scheme+authority from URI + http-request set-dst url_ip + http-request set-dst-port url_port + http-request set-uri %[pathq] + server next-hop 0.0.0.0 + + # layer7: protect bad reply + http-response deny if { res.hdr(content-type) audio/mp3 } |