From b46aad6df449445a9fc4aa7b32bd40005438e3f7 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 14:18:05 +0200 Subject: Adding upstream version 2.9.5. Signed-off-by: Daniel Baumann --- examples/option-http_proxy.cfg | 54 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 examples/option-http_proxy.cfg (limited to 'examples/option-http_proxy.cfg') diff --git a/examples/option-http_proxy.cfg b/examples/option-http_proxy.cfg new file mode 100644 index 0000000..8b28f67 --- /dev/null +++ b/examples/option-http_proxy.cfg @@ -0,0 +1,54 @@ +# +# demo config for Proxy mode +# + +global + maxconn 20000 + ulimit-n 16384 + log 127.0.0.1 local0 + uid 200 + gid 200 + chroot /var/empty + daemon + +frontend test-proxy + bind 192.168.200.10:8080 + mode http + log global + option httplog + option dontlognull + maxconn 8000 + timeout client 30s + + # layer3: Valid users + acl allow_host src 192.168.200.150/32 + http-request deny if !allow_host + + # layer7: prevent private network relaying + acl forbidden_dst url_ip 192.168.0.0/24 + acl forbidden_dst url_ip 172.16.0.0/12 + acl forbidden_dst url_ip 10.0.0.0/8 + http-request deny if forbidden_dst + + default_backend test-proxy-srv + + +backend test-proxy-srv + mode http + timeout connect 5s + timeout server 5s + retries 2 + + # layer7: Only GET method is valid + acl valid_method method GET + http-request deny if !valid_method + + # take IP address from URL's authority + # and drop scheme+authority from URI + http-request set-dst url_ip + http-request set-dst-port url_port + http-request set-uri %[pathq] + server next-hop 0.0.0.0 + + # layer7: protect bad reply + http-response deny if { res.hdr(content-type) audio/mp3 } -- cgit v1.2.3