HAProxy WordPress abuse protection


Hello !

I have already posted this on the mailing-list, but maybe it’s easier to discuss my issue here. Here’s the thing :

Hi folks !

I’m trying to follow instructions found here :

on how to protect some WordPress sites against blind and repetitive
login attempts, but I can’t seem to make it effective.

Would your mind commenting on my config to help me why it’s not working ?
It’s only the protection part that is not working : the rest of the
service is ok, and has always been. It’s just that I recently added the
recipe found on HAProxy blog, and I get no result.

My peers definition :

peers mypeers
    peer machine1.fqdn haproxy-1:1024
    peer machine2.fqdn haproxy-2:1024
    peer machine3.fqdn haproxy-3:1024

My frontend definition :

frontend wordpress-frontend
    bind X.X.X.X:80
    bind Y.Y.Y.Y:80
    mode http

    tcp-request inspect-delay 10s
    tcp-request content accept if HTTP # <==== despite what was written on the blog post, HAProxy refused to let "tcp-request" without "content" keyword. I guess this is expected.
    acl wp_login                 path_beg     -i /wp-login.php
    acl flagged_as_abuser        sc1_get_gpc0 gt 0
    stick-table type binary len 20 size 500 store gpc0 peers mypeers
    tcp-request content track-sc1  base32+src if METH_POST wp_login
    use_backend bk_login_abusers if flagged_as_abuser

    default_backend wordpress-http-backend

My backend definition :

backend wordpress-http-backend
    tcp-request inspect-delay 10s
    tcp-request content accept if HTTP
    # brute force protection
    acl wp_login                path_beg -i /wp-login.php
    stick-table type binary len 20 size 500 store http_req_rate(20s)
peers mypeers
    tcp-request content track-sc2  base32+src if METH_POST wp_login
    stick store-request base32+src            if METH_POST wp_login
    acl bruteforce_detection  sc2_http_req_rate gt 2   # <=====  adjusted to "2" to see if I got anything better. No luck.
    acl flag_bruteforce       sc1_inc_gpc0      gt 0
    http-request deny if bruteforce_detection flag_bruteforce

    balance roundrobin
    option http-server-close
    option forwardfor
    option httpchk GET /haproxy-check.php HTTP/1.1\r\nHost:\
    http-check expect string ALLOK
    http-check disable-on-404
    server web-1 web-1:80 check slowstart 5000ms
    server web-2 web-2:80 check slowstart 5000ms
    server web-3 web-3:80 check slowstart 5000ms
    server sorry-1 webfront-1:50000 check backup
    server sorry-2 webfront-2:50000 check backup

My sandbox backend :

backend bk_login_abusers
    mode http
    log global
    option httplog
    timeout tarpit 1s
    http-request tarpit
    errorfile 500 /etc/haproxy/errorfiles/wp_fake_login.http
    errorfile 503 /etc/haproxy/errorfiles/wp_fake_login.http

Finally, the contents of the stick tables :

# table: wordpress-frontend, type: binary, size:500, used:0

# table: wordpress-http-backend, type: binary, size:500, used:6
0xe71b10: key=410B34765BD290FF000000000000000000000000 use=0 exp=0 server_id=2 http_req_rate(20000)=0
0xe4abd0: key=410B3476B2891330000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0
0xdb7e50: key=B77846E1A2F88FA1000000000000000000000000 use=0 exp=0 server_id=2 http_req_rate(20000)=0
0xe4fd00: key=BA68E942D972C985000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0
0xdb7f00: key=C45BC90B5BC80C04000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0
0xdb7da0: key=F58B492055EE71FC000000000000000000000000 use=0 exp=0 server_id=1 http_req_rate(20000)=0

I tested with cURL and querying a lot on the /wp-login.php address with
POST requests (more than twice per 20s, for sure), but the counters
don’t raise.

I’m open to new ideas on how to solve my case, and mistakes in my config.

Thanks !



Hi, I have the same problem, I have posted this new topic …