HAProxy and Nginx abuse and rate limiting

My brother wrote a follow-up – HAProxy abuse filtering and rate limiting – to his previous post – Nginx rate limit by user agent (control bots).  This is just a tip of the iceberg that we are working with at the office, but it’s pretty cool.

Hopefully, soon enough our Ansible playbooks will be up to date and shareable…

HAProxy SNI

HAProxy SNI” is pure gold! If you want to have a load balancer for HTTPS traffic, without managing SSL certificates on the said load balancer, there is a way to do so.

The approach is utilizing the Server Name Indication (SNI) extension to the TLS protocol.  I knew about it and I was already using it on the web server side, but it didn’t occur to me that it’ll be utilized on the load balancer.  Here’s the configuration bit:

frontend https *:443
  description Incoming traffic to port 443
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend backend-ssl-foobar if { req_ssl_sni -i foobar.com }
  use_backend backend-ssl-example if { req_ssl_sni -i example.com }
  default_backend backend-ssl-default

The above will make HAProxy listen on port 443, and then send all traffic for foobar.com to one backend, all traffic for example.com to another backend, and the rest to the third, default backend.

Docker Image Vulnerability Research

Federacy has an interesting research in Docker image vulnerabilities.  The bottom line is:

24% of latest Docker images have significant vulnerabilities

This can and should be improved, especially given the whole hierarchical structure of Docker images.  It’s not like improving security of all those random GitHub repositories.

World’s Biggest Data Breaches

Here’s an interactive collection of the world’s biggest data breaches.  It goes back to 2004, where about 92,000,000 email addresses and screen names were stolen by an AOL employee, and covers most of the major events up until and including 2016.  There are a few ways to filter the data and change the representation.

Overall, should give you a pretty good idea of how safe and secure your online data is. Oh, and how private it is too.

AbuseIO – Open Source abuse management

AbuseIO is an Open Source software for management of abuse reports.  It’s like a specialized ticketing/support system, which can automatically parse a variety of abuse notifications, file them, notify the team, and provide the tools to respond and close the incident.  In a nutshell:

 

  • 100% Free & Open Source
  • Works with IPv4 and IPv6 addresses
  • Automatically parse events into abuse tickets and add a classification
  • Integrate with existing IPAM systems
  • Set automatic (re)notifications per case or customer with configurable intervals
  • Allow abuse desks and end users to reply, close or add notes to cases
  • Link end users to a self help portal in case they need help to resolve the issue

If that sounds interesting, have a look at the Features page.  You might also want to read the blog post covering a last year’s release of AbuseIO version 4.0.

The system is written in PHP, with Laravel framework, so making changes and adding features should be quite easy.