A custom DNS security solution with HAProxy integration for bot detection and IP blacklisting built with Laravel.
- Bot Detection: Analyze requests for bot signatures using user-agent patterns, behavior analysis, and fingerprinting
- IP Blacklisting: Automatic and manual IP blocking with expiration support
- IP Whitelisting: Protect trusted IPs from being blocked
- HAProxy Integration: Sync blocked/whitelisted IPs to HAProxy for edge-level blocking
- Rate Limiting: Configurable rate limits per IP
- Request Logging: Log all requests with threat scores for analysis
- Threat Intelligence: Optional integration with AbuseIPDB and IPInfo
- Admin API: RESTful API for managing all security features
┌─────────────────────────────────────┐
│ HAProxy │
│ - Rate limiting (stick-table) │
│ - IP blacklist/whitelist │
│ - Basic bot detection (UA) │
└──────────────┬──────────────────────┘
│
┌──────────────▼──────────────────────┐
│ Laravel API │
│ ┌────────────────────────────────┐ │
│ │ DnsSecurityMiddleware │ │
│ │ - Deep bot analysis │ │
│ │ - Behavior detection │ │
│ │ - Fingerprinting │ │
│ │ - Auto-blocking │ │
│ └────────────────────────────────┘ │
│ │
│ ┌────────────────────────────────┐ │
│ │ Services │ │
│ │ - BotDetectionService │ │
│ │ - HaproxyService │ │
│ │ - ThreatIntelligenceService │ │
│ └────────────────────────────────┘ │
└──────────────┬──────────────────────┘
│
┌──────────────▼──────────────────────┐
│ Database │
│ - users │
│ - blocked_ips │
│ - whitelist_ips │
│ - request_logs │
│ - bot_signatures │
└─────────────────────────────────────┘
- Clone the repository and install dependencies:
composer install- Copy environment file and configure:
cp .env.example .env
php artisan key:generate-
Configure your database in
.env -
Run migrations and seeders:
php artisan migrate
php artisan db:seed- Copy HAProxy configuration:
sudo cp config/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg
sudo cp config/haproxy/blacklist.txt /etc/haproxy/blacklist.txt
sudo cp config/haproxy/whitelist.txt /etc/haproxy/whitelist.txt- Set up the scheduler in crontab:
* * * * * cd /path-to-project && php artisan schedule:run >> /dev/null 2>&1All endpoints (except /api/health and /api/security/haproxy-check) require an API token:
Authorization: Bearer your-api-token
# or
X-API-Token: your-api-token| Method | Endpoint | Description |
|---|---|---|
| GET | /api/blocked-ips |
List all blocked IPs |
| POST | /api/blocked-ips |
Block an IP |
| GET | /api/blocked-ips/{id} |
Get blocked IP details |
| PUT | /api/blocked-ips/{id} |
Update blocked IP |
| DELETE | /api/blocked-ips/{id} |
Unblock an IP |
| POST | /api/blocked-ips/unblock |
Unblock by IP address |
| POST | /api/blocked-ips/bulk |
Bulk block IPs |
| POST | /api/blocked-ips/sync-haproxy |
Sync to HAProxy |
| GET | /api/blocked-ips/stats |
Get blocking statistics |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/whitelist-ips |
List whitelisted IPs |
| POST | /api/whitelist-ips |
Add IP to whitelist |
| DELETE | /api/whitelist-ips/{id} |
Remove from whitelist |
| POST | /api/whitelist-ips/sync-haproxy |
Sync to HAProxy |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/request-logs |
List request logs |
| GET | /api/request-logs/{id} |
Get log details |
| GET | /api/request-logs/stats |
Get traffic statistics |
| POST | /api/request-logs/ip-analysis |
Analyze specific IP |
| DELETE | /api/request-logs/cleanup |
Clean old logs (admin) |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/bot-signatures |
List signatures |
| POST | /api/bot-signatures |
Create signature |
| PUT | /api/bot-signatures/{id} |
Update signature |
| DELETE | /api/bot-signatures/{id} |
Delete signature |
| POST | /api/bot-signatures/test |
Test pattern |
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/security/check-ip |
Check IP status |
| GET | /api/security/analyze |
Analyze current request |
| GET | /api/security/haproxy-check |
HAProxy integration endpoint |
| GET | /api/health |
Health check |
curl -X POST http://localhost/api/blocked-ips \
-H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-d '{
"ip_address": "192.168.1.100",
"block_type": "permanent",
"reason": "Malicious activity detected"
}'curl -X GET "http://localhost/api/security/check-ip?ip=192.168.1.100" \
-H "Authorization: Bearer your-token"curl -X GET "http://localhost/api/request-logs/stats?minutes=60" \
-H "Authorization: Bearer your-token"curl -X POST http://localhost/api/blocked-ips/bulk \
-H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-d '{
"ip_addresses": ["1.2.3.4", "5.6.7.8"],
"block_type": "temporary",
"reason": "Bulk attack detected",
"expires_at": "2024-12-31 23:59:59"
}'# Sync blocked/whitelisted IPs to HAProxy
php artisan dns:sync-haproxy
php artisan dns:sync-haproxy --blacklist --reload
# Clean up expired blocks
php artisan dns:cleanup-expired --sync
# Analyze suspicious IPs
php artisan dns:analyze-suspicious --minutes=60 --threshold=70 --auto-block --sync
# Clean old logs
php artisan dns:cleanup-logs --days=30The system analyzes requests based on:
-
User-Agent Analysis
- Known bot patterns
- Empty user-agent
- Suspicious strings
-
Rate Limiting
- Requests per minute
- Requests per hour
-
Behavior Analysis
- Sequential crawling patterns
- Request interval timing
- Accessing sensitive endpoints
-
Header Analysis
- Missing standard headers
- Suspicious header values
-
Fingerprinting
- Browser fingerprint matching
- Multiple IPs with same fingerprint
Each check adds to the threat score:
| Check | Score |
|---|---|
| Empty user-agent | 30 |
| Suspicious user-agent | 40 |
| Rate limit exceeded | 50 |
| Fast request interval | 40 |
| Sequential crawling | 25 |
| Missing headers | 10-15 each |
| Sensitive endpoint | 10 |
When the combined score exceeds the threshold (default: 70), the IP is automatically blocked.
Key configuration options in config/dns_security.php:
'block_threshold' => 70, // Score to trigger blocking
'auto_block_duration' => 60, // Minutes for auto-blocks
'rate_limits' => [
'per_minute' => 60,
'per_hour' => 1000,
],After running seeders:
- Admin:
admin@robattv.com/ Token:robattv-admin-token - Operator:
operator@robattv.com/ Token:robattv-operator-token
Important: Change these in production!
MIT License - RobatTV