http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
hdr_sub(user-agent) -i "\$\{jndi:" }
was not catching the bad traffic. I think the escapes were causing issues
in the matching.
The following did work:
http-request deny deny_status 405 if { url_sub -i -f
/etc/haproxy/bad_header.lst }
http-request deny deny_status 405 if { hdr_sub(user-agent)
-i -f /etc/haproxy/bad_header.lst }
and in bad_header.lst
${jndi:
That said, this is still incomplete as it is only checking some headers,
and I am sure some incoming bad data will be from POST data which is more
difficult to intercept with haproxy...
(and the request is still logged by haproxy, so if you feed your haproxy
log to log4j it will not help against that...)
