HAProxy Enterprise Documentation 2.7r1

Shadowban

You can shadowban a client, meaning send them a webpage or resource that looks like the real one, but is actually a fake. For example, you could send a fake login page to an attacker, which will never actually allow them to log in.

Use http-request return to return an HTML file from the load balancer instead of relaying the request to the backend servers. Here, we return a fake login page:

frontend www
   acl blocked_ip src -f /etc/hapee-2.7/blocklist.acl
   http-request return content-type text/html file /srv/www/fake_login.html if { path_beg /login } blocked_ip

As another example, use http-request set-path to change the URL path that the client requested before it reaches your backend servers.

In this case, every request for an image is changed to a request for the image sad-walrus.jpg:

frontend www
   acl blocked_ip src -f /etc/hapee-2.7/blocklist.acl
   http-request set-path /images/sad-walrus.jpg if { path_end .jpg .png .gif } blocked_ip

Next up

Silent Drop