|
|
|
@ -56,11 +56,11 @@ frontend http-in |
|
|
|
|
#option forwardfor |
|
|
|
|
|
|
|
|
|
# optional geoip handling (maps required) and alt-svc header addition |
|
|
|
|
# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map) |
|
|
|
|
http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map) |
|
|
|
|
http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map) |
|
|
|
|
# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map) |
|
|
|
|
# http-request set-header X-Country-Code %[var(req.xcc)] |
|
|
|
|
# http-request set-header X-Continent-Code %[var(txn.xcn)] |
|
|
|
|
http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map) |
|
|
|
|
http-request set-header X-Country-Code %[var(req.xcc)] |
|
|
|
|
http-request set-header X-Continent-Code %[var(txn.xcn)] |
|
|
|
|
http-request set-header X-ASN %[var(req.asn)] |
|
|
|
|
|
|
|
|
|
# drop requests with invalid host header |
|
|
|
@ -70,14 +70,18 @@ frontend http-in |
|
|
|
|
# debug information at /.basedflare/cgi/trace |
|
|
|
|
http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace } |
|
|
|
|
|
|
|
|
|
# acl for blocked IPs/subnets/ASN |
|
|
|
|
# acl for blocked IPs/subnets/ASN/country |
|
|
|
|
http-request lua.set-lang-json |
|
|
|
|
acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found |
|
|
|
|
acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found |
|
|
|
|
acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool |
|
|
|
|
http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map |
|
|
|
|
http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map |
|
|
|
|
http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn |
|
|
|
|
acl found_in_blockedcc_map var(req.xcc),map(/etc/haproxy/map/blockedcc.map) -m found |
|
|
|
|
acl found_in_blockedcn_map var(txn.xcn),map(/etc/haproxy/map/blockedcn.map) -m found |
|
|
|
|
acl blocked_bool var(txn.blocked_bool) -m bool |
|
|
|
|
http-request lua.set-ip-var blockedip txn.blocked_bool ip if found_in_blockedip_map |
|
|
|
|
http-request lua.set-ip-var blockedasn txn.blocked_bool asn if found_in_blockedasn_map |
|
|
|
|
http-request lua.set-ip-var blockedcc txn.blocked_bool cc if found_in_blockedcc_map |
|
|
|
|
http-request lua.set-ip-var blockedcn txn.blocked_bool cn if found_in_blockedcn_map |
|
|
|
|
http-request deny deny_status 403 if blocked_bool |
|
|
|
|
|
|
|
|
|
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this. |
|
|
|
|
http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST } |
|
|
|
|