Appearance
防爬虫与反扫描策略
HAProxy 可通过 ACL 和请求特征分析识别并阻止恶意爬虫、扫描器和暴力破解行为。
User-Agent 过滤
haproxy
frontend http_front
bind *:80
bind *:443 ssl crt /etc/ssl/certs/
acl bad_bot hdr_reg(User-Agent) -i -m beg masscan|shodan|censys|securityscan|nmap|sqlmap
acl missing_ua hdr(User-Agent) -m reg ^$
http-request deny if bad_bot
http-request deny if missing_ua
default_backend web_backend速率限制防爬虫
haproxy
stick-table type ip size 100k expire 30s store http_req_rate(10s)
acl too_many req.rate_limit(gt) 10
http-request track-sc0 src
http-request deny deny_status 429 if too_many路径扫描防护
haproxy
acl scan_path path_reg -i \.git|\.env|\.bak|\.sql|phpmyadmin|phpinfo
acl scanning_rate req.rate_limit(gt) 5
http-request deny deny_status 403 if scan_path scanning_rate黑名单加载
haproxy
acl blocked_ips src -f /etc/haproxy/blacklist.lst
http-request deny if blocked_ips