@ -44,6 +44,12 @@ frontend http-in
#bind 127.0.0.1:80 accept-proxy
#option forwardfor
# optional geoip handling (maps required) and alt-svc header addition
# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
# http-request set-header X-Country-Code %[var(req.xcc)]
# http-request set-header X-Continent-Code %[var(txn.xcn)]
# drop requests with invalid host header
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
http-request silent-drop unless is_existing_vhost
@ -70,17 +76,20 @@ frontend http-in
acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool
# serve challenge page scripts directly from haproxy
http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=36 00" if { path /.basedflare/js/auto.min.js }
http-request return file /etc/haproxy/js/argon2.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=36 00" if { path /.basedflare/js/argon2.min.js }
http-request return file /etc/haproxy/js/challenge.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=36 00" if { path /.basedflare/js/challenge.min.js }
http-request return file /etc/haproxy/js/worker.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=36 00" if { path /.basedflare/js/worker.min.js }
http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=864 00" if { path /.basedflare/js/auto.min.js }
http-request return file /etc/haproxy/js/argon2.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=864 00" if { path /.basedflare/js/argon2.min.js }
http-request return file /etc/haproxy/js/challenge.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=864 00" if { path /.basedflare/js/challenge.min.js }
http-request return file /etc/haproxy/js/worker.min.js status 200 content-type "application/javascript; charset = utf-8" hdr "cache-control" "public, max-age=864 00" if { path /.basedflare/js/worker.min.js }
# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset = utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode
# map if you want a domain to be a redirect from the edge (302 for now)
http-request redirect location https://%[hdr(host),map(/etc/haproxy/map/rewrite.map)]%[capture.req.uri] code 302 if { hdr(host),map(/etc/haproxy/map/rewrite.map) -i -m found }
# rewrite specific domain+path to domain or domain+path
http-request redirect location https://%[base,map(/etc/haproxy/map/rewrite.map)] code 302 if { base,map(/etc/haproxy/map/rewrite.map) -i -m found }
# redirect domain to domain or domain+path
http-request redirect location https://%[hdr(host),map(/etc/haproxy/map/redirect.map)] code 302 if { hdr(host),map(/etc/haproxy/map/redirect.map) -i -m found }
# create acl for bools updated by lua
acl captcha_passed var(txn.captcha_passed) -m bool
@ -108,6 +117,9 @@ frontend http-in
http-request cache-use basic_cache if can_cache
http-response cache-store basic_cache if can_cache
# optional alt-svc header (done after cache so not set in cached responses
http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
default_backend servers
cache basic_cache
@ -117,11 +129,11 @@ cache basic_cache
backend servers
balance leastconn
# optional (recommended) ssl, requires CA cert installed on proxy and signeed cert on backends, you can also use "ssl verify none" but ssl can then be trivially mitm'd
# default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)
# use server based on hostname
# old method, only supports single backend per host/domain
#use-server %[req.hdr(host),lower,map(/etc/haproxy/map/backends.map)] if TRUE
# use multiple servers with lua
# new method, load balance to multiple servers with lua
use-server %[lua.get_server_names] if TRUE
backend bot_check_post_throttle