Software development
Artificial Intelligence
Cloud
View all courses
Learn
Connect
Blog
Resource hub
Featured resource
2025 Tech Upskilling Playbook
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Check it out
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
    • Cloud
Google Cloud Platform icon
Labs

Protecting an HTTP Service Using HAProxy

One common attack vector is our websites or web-based applications. HAProxy can help us fend off HTTP floods, Slowloris attacks, and more. In this lab, we’re going to get hands-on with HAProxy, using it to protect our HTTP connections. We’re going to secure our HTTP connections against HTTP floods, and block `curl` agents and clients by IP address. Upon completion of the lab, you will be able to configure an HAProxy installation to protect HTTP-based services.

Get started Contact sales
Google Cloud Platform icon
Lab platform
Lab Info
Level
Intermediate
Last updated
Sep 19, 2025
Duration
1h 0m

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
Table of Contents

  1. Challenge

    Protect an HTTP Service with HAProxy
    Running Basic HAProxy Server Tests

    First, we need to add 2 entries to the /etc/hosts file on each of our client machines. We need these to point to the private IP address of the HAProxy server:

    <HAPROXY SERVER PRIVATE IP>    www.site1.com
<HAPROXY SERVER PRIVATE IP>    www.site2.com

    Before we get started with protecting our sites with HAProxy, let's take a look at what a stock HAProxy configuration looks like when presented with a large number of requests.

    1. Open the web browser and connect to port 8050 on our public IP/DNS.

    2. Get the stats information for our HAProxy installation.

    3. Use ApacheBench (ab) to send a total of 100000 requests, with 100 concurrent requests to both www.site1.com and www.site2.com using https on each of our server instances.

      Checking our stats web interface, we can see the traffic coming in from both local instances of ApacheBench.

    Defending Against HTTP Flood Attacks

    We can set request rate limits to block a single agent by tracking the number or rate of requests from a single client using a stick-table.

    1. Edit the /etc/haproxy/haproxy.cfg file:
      • Add a new backend to put our stick-table in.
        • Create a sitck-table to track connections:
          • type ip
          • size 1m
          • expire 10m
          • http_req_rate(10s)
      • Add a line to our frontend block to feed the connection data to the per_ip_rates backend.
      • After the line you just added to your frontend, add a line to start denying requests with an HTTP 429 Too Many Requests response when the counters in the stick-table are over 10 requests per second.
      • Add a line to deny requests with an HTTP 500 Internal Server Error response for agents reporting as curl.
      • Add a line to deny requests with an HTTP 503 Service Unavailable response for agents in the /etc/haproxy/blocked.acl file.
    2. Modify the /etc/haproxy/blocked.acl file.
      • Add a line with the private IP address of the Client 2 host.

  2. Challenge

    Test HTTP Attack Protection

    Before we see what the effects of our changes are, let's reset our stats and restart our ApacheBench instances.

    1. Kill ApacheBench on all 3 hosts.
    2. Restart the haproxy service.

    Test Blocking Requests Based On Rate Limits

    1. To test our blocking requests, generate a new batch of traffic on the Client 1 instance only. Use ApacheBench (ab) to send a total of 100000 requests, with 100 concurrent requests to both www.site1.com and www.site2.com using https.
    2. Check the stats web interface again and see the effects of our changes.

    Test Blocking Requests Using ACLs

    We had blocked the curl agent and all requests from the Client 2 instance. Let's check our work!

    1. Try using curl on the HAProxy host to load our sites.
    2. Try using wget on the HAProxy host to load our sites.
    3. Try using wget on the Client 1 host to load our sites.
    4. Try using wget on the Client 2 host to load our sites.
About the author
Pluralsight Skills - Labs - Pluralsight
Pluralsight Skills

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight

View individual plans View team plans