Domains & Upstream#
Each hostname served by InfraGuard has a corresponding domains.<hostname> block that defines where legitimate traffic is proxied and how the domain behaves.
Schema#
domains:
cdn.example.com:
upstream: "${CS_UPSTREAM}" # backend URL
profile_path: "profiles/my.profile" # optional: C2/phishing profile file
profile_type: "cobalt_strike" # profile parser to use
drop_action:
type: "redirect" # redirect | proxy | static | 404
target: "https://jquery.com"
allowed_paths: # optional: restrict to these paths only
- "/jquery-3.7.1.min.js"
- "/cdn-cgi/*"
- "~^/[a-z]{8}$" # regex (prefix with ~)
content_routes: [] # payload delivery routes (see Payload Delivery)profile_type Values#
| Value | Parser | Profile file required |
|---|---|---|
cobalt_strike | Malleable C2 | Yes — .profile |
mythic | Mythic HTTPX | Yes — .json |
brute_ratel | BRC4 config JSON | Yes — .json |
sliver | Sliver HTTP config | Yes — .yaml |
havoc | Havoc listener YAML | Yes — .yaml |
nighthawk | Nighthawk listener JSON | Yes — .json |
poshc2 | PoshC2 config YAML | Yes — .yaml |
gophish | Built-in GoPhish patterns | No |
evilginx | Optional phishlet YAML | Optional |
cuddlephish | Built-in OAuth patterns | No |
phishing_club | Built-in passthrough | No |
passthrough | No profile filtering | No |
drop_action Types#
| Type | Behavior |
|---|---|
redirect | HTTP 302 to target URL |
proxy | Silently proxy to target (mimics the cover site) |
static | Serve a static HTML file at target path |
404 | Return 404 with no body |
Path Restriction with allowed_paths#
When allowed_paths is set, requests to any path not matched are treated as if they failed filtering (score += drop_score). This prevents enumeration of backend paths.
allowed_paths:
- "/track/*" # glob: matches /track/abc, /track/abc/def
- "/submit" # exact match
- "~^/t/[a-f0-9]{16}$" # regex (prefix with ~): 16-char hex IDPatterns are evaluated in order; first match wins.
campaign_token (Phishing Domains)#
Gate phishing pages behind a per-campaign token embedded in email links:
campaign_token:
enabled: true
token_param: "t" # ?t=<token> in the email link
tokens:
- "${CAMPAIGN_TOKEN_Q1}"
- "${CAMPAIGN_TOKEN_Q2}"
# HMAC alternative — rotate token without config change:
# hmac_secret: "${CAMPAIGN_HMAC_SECRET}"
# hmac_ttl_seconds: 604800
score_on_missing: 0.8 # score added when ?t= is absentAnalysts who discover the URL via CT logs or threat feeds cannot load the page without the token.