De Wiki inetshell
Saltar a: navegación, buscar
(CPU)
(Limitar por password)
(No se muestran 2 ediciones intermedias del mismo usuario)
Línea 19: Línea 19:
 
   maxconn 8192
 
   maxconn 8192
 
   maxpipes 2048
 
   maxpipes 2048
 +
</pre>
 +
 +
== Limitar por password ==
 +
https://wiki.inetshell.mx/index.php/Python:_Generar_password_con_crypt/sha256/sha512
 +
* Crear password:
 +
<pre>
 +
python -c "import random,string,crypt;
 +
randomsalt = ''.join(random.sample(string.ascii_letters,8));
 +
print crypt.crypt('MySecretPassword', '\$6\$%s\$' % randomsalt)"
 +
</pre>
 +
 +
* HAproxy config:
 +
<pre>
 +
userlist basic-auth-list
 +
  group web-access
 +
  user admin  password $6$oxPvHRVT$8lLFpj/U828hVUcrqh6v7CQnHHtWezf4Ac6KIJJt/MLiVONs3Feb97gEYA4NMAhS7IoyeVYwr4yLtrNRk5OUn/ groups web-access
 +
 +
backend web-access
 +
acl draw-auth http_auth(basic-auth-list)
 +
http-request auth realm draw unless draw-auth
 
</pre>
 
</pre>
  

Revisión del 16:28 14 ago 2019

Documentacion

http://cbonte.github.io/haproxy-dconv/1.8/configuration.html

Rendimiento

CPU

https://www.haproxy.com/blog/multithreading-in-haproxy/

http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#cpu-map

https://medium.freecodecamp.org/how-we-fine-tuned-haproxy-to-achieve-2-000-000-concurrent-ssl-connections-d017e61a4d27

https://blog.onefellow.com/post/82478335338/haproxy-mapping-process-to-cpu-core-for-maximum

  • multiprocess
global
  nbproc 8
  cpu-map auto:1-8  0-7
  maxconn 8192
  maxpipes 2048

Limitar por password

https://wiki.inetshell.mx/index.php/Python:_Generar_password_con_crypt/sha256/sha512

  • Crear password:
python -c "import random,string,crypt;
randomsalt = ''.join(random.sample(string.ascii_letters,8));
print crypt.crypt('MySecretPassword', '\$6\$%s\$' % randomsalt)"
  • HAproxy config:
userlist basic-auth-list
  group web-access
  user admin  password $6$oxPvHRVT$8lLFpj/U828hVUcrqh6v7CQnHHtWezf4Ac6KIJJt/MLiVONs3Feb97gEYA4NMAhS7IoyeVYwr4yLtrNRk5OUn/ groups web-access

backend web-access
acl draw-auth http_auth(basic-auth-list)
http-request auth realm draw unless draw-auth

Limitar por IP backend HTTP

https://www.haproxy.com/blog/introduction-to-haproxy-acls/

backend server
acl allow_access src 192.168.1.0/24
http-request deny if { path -i -m beg / } ! allow_access

Limitar por IP frontend TCP

frontend 10000 acl network_allowed src 192.168.0.0/16 10.0.0.0/8 tcp-request connection reject if !network_allowed