From fde0651d533de941077dc1bd88d501ae748d3116 Mon Sep 17 00:00:00 2001
From: Paul Lecuq <paul@paulbsd.com>
Date: Wed, 17 Jul 2024 00:04:13 +0200
Subject: [PATCH] updated haproxy state

---
 states/haproxy/templates/haproxy.cfg.j2 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/states/haproxy/templates/haproxy.cfg.j2 b/states/haproxy/templates/haproxy.cfg.j2
index 1b7acd4..3802982 100644
--- a/states/haproxy/templates/haproxy.cfg.j2
+++ b/states/haproxy/templates/haproxy.cfg.j2
@@ -165,6 +165,7 @@ frontend fe_http from {{ haproxy.config.namespace }}
   acl path_root path /
   acl path_info path /info
   acl path_location path /location
+  acl version_http10 req.ver 1.0
 
   ## Basic rules
   http-request set-var(txn.srchash) src,crc32,mod(100)
@@ -173,6 +174,10 @@ frontend fe_http from {{ haproxy.config.namespace }}
   http-request set-var(req.host) req.hdr(Host)
   http-request set-var(req.accesshash) str(),concat(,req.src,),concat(-,req.host,)
 
+  ## Silent drop all external requests with no host header or HTTP/1.0
+  http-request silent-drop if !domains !internal
+  http-request silent-drop if version_http10
+
   ## Returns
   http-request return status 200 content-type text/plain string "User-agent: *\r\nAllow: /" if robots_txt
   http-request return status 200 content-type text/plain string "Contact: mailto:{{ haproxy.config.syscontact }}" if security_txt
@@ -215,6 +220,7 @@ frontend fe_https from {{ haproxy.config.namespace }}
   acl path_root path /
   acl path_info path /info
   acl path_location path /location
+  acl version_http10 req.ver 1.0
 
   ## Basic rules
   #http-request set-var(txn.random) rand,mul(5)
@@ -233,6 +239,7 @@ frontend fe_https from {{ haproxy.config.namespace }}
 
   ## Silent drop all external requests with no host header
   http-request silent-drop if !domains !internal
+  http-request silent-drop if version_http10
 
   ## DDoS
   http-request deny deny_status 429 if max_req_rate !internal