HAProxy bot protection config
- Shell 86.7%
- Lua 13.3%
| lists | ||
| scripts | ||
| .gitignore | ||
| bot-protection.lua | ||
| country-block.map | ||
| haproxy.cfg | ||
| README.md | ||
| setup.sh | ||
HAProxy Bot Protection
HAProxy config for bot protection on a public proxy server. Blocks scrapers, scanners, flood attacks, and unwanted traffic at the edge before it reaches your backend.
Layers
- Domain guard (404 if hostname doesn't match)
- Connection rate limiting (50 conn/10s)
- HTTP request rate limiting (100 req/10s)
- Error rate scanner detection (20+ 4xx/1m)
- User-Agent blocklist (90+ known bad agents)
- Live IP blacklist (Spamhaus, Firehol, Blocklist.de)
- GeoIP country blocking (via MaxMind + Lua)
- CONNECT flood protection
- Proxy authentication
Files
haproxy.cfg- Main HAProxy config (forward + reverse proxy)bot-protection.lua- GeoIP lookup script for HAProxy Communitylists/bad-user-agents.lst- Known bad User-Agentscountry-block.map- Country codes to blockscripts/update-blacklists.sh- Daily IP blacklist updaterscripts/update-geoip.sh- MaxMind GeoIP database downloadersetup.sh- Full setup script
Requirements
- HAProxy 2.x+ with Lua support
- lua-maxminddb (for GeoIP)
- Free MaxMind account for GeoLite2 databases
Quick start
apt install lua-maxminddb
./scripts/update-geoip.sh YOUR_MAXMIND_KEY
./scripts/update-blacklists.sh
haproxy -c -f /etc/haproxy/haproxy.cfg
systemctl reload haproxy
ASN blocking
On the backlog. Will use nftables raw table sets for firewall-level ASN blocking.
License
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 2, December 2004
Copyright (C) 2026 Lele
Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
- You just DO WHAT THE FUCK YOU WANT TO.