mirror/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git synced 2026-02-10 14:02:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
22,386 Commits 22 Branches 408 Tags
45f40bac4cd256935d3157cd03f9434609d7a36a
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Amaury Denoyelle 45f40bac4c MEDIUM: config: prevent communication with privileged ports 
This commit introduces a new global setting named
harden.reject_privileged_ports.{tcp|quic}. When active, communications
with clients which use privileged source ports are forbidden. Such
behavior is considered suspicious as it can be used as spoofing or
DNS/NTP amplication attack.

Value is configured per transport protocol. For each TCP and QUIC
distinct code locations are impacted by this setting. The first one is
in sock_accept_conn() which acts as a filter for all TCP based
communications just after accept() returns a new connection. The second
one is dedicated for QUIC communication in quic_recv(). In both cases,
if a privileged source port is used and setting is disabled, received
message is silently dropped.

By default, protection are disabled for both protocols. This is to be
able to backport it without breaking changes on stable release.

This should be backported as it is an interesting security feature yet
relatively simple to implement.
2024-05-24 14:36:31 +02:00
.github
addons
admin
dev
doc
examples
include
MEDIUM: config: prevent communication with privileged ports
2024-05-24 14:36:31 +02:00
reg-tests
scripts
src
tests
.cirrus.yml
.gitattributes
.gitignore
.mailmap
.travis.yml
BRANCHES
BSDmakefile
CHANGELOG
CONTRIBUTING
INSTALL
LICENSE
MAINTAINERS
Makefile
README
SUBVERS
VERDATE
VERSION

README 

The HAProxy documentation has been split into a number of different files for
ease of use.

Please refer to the following files depending on what you're looking for :

  - INSTALL for instructions on how to build and install HAProxy
  - BRANCHES to understand the project's life cycle and what version to use
  - LICENSE for the project's license
  - CONTRIBUTING for the process to follow to submit contributions

The more detailed documentation is located into the doc/ directory :

  - doc/intro.txt for a quick introduction on HAProxy
  - doc/configuration.txt for the configuration's reference manual
  - doc/lua.txt for the Lua's reference manual
  - doc/SPOE.txt for how to use the SPOE engine
  - doc/network-namespaces.txt for how to use network namespaces under Linux
  - doc/management.txt for the management guide
  - doc/regression-testing.txt for how to use the regression testing suite
  - doc/peers.txt for the peers protocol reference
  - doc/coding-style.txt for how to adopt HAProxy's coding style
  - doc/internals for developer-specific documentation (not all up to date)
Reference in New Issue View Git Blame Copy Permalink
Description
haproxy public development tree. Unstable code.
cachecachingddos-mitigationfastcgihaproxyhigh-availabilityhigh-performancehttphttp2httpsipv6load-balancerproxyproxy-protocolreverse-proxytls13
Readme 248 MiB
Languages
C 98%
Shell 0.9%
Makefile 0.5%
Lua 0.2%
Python 0.2%