|
|
|
@ -57,9 +57,11 @@ frontend http-in |
|
|
|
|
|
|
|
|
|
# optional geoip handling (maps required) and alt-svc header addition |
|
|
|
|
# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map) |
|
|
|
|
http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map) |
|
|
|
|
# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map) |
|
|
|
|
# http-request set-header X-Country-Code %[var(req.xcc)] |
|
|
|
|
# http-request set-header X-Continent-Code %[var(txn.xcn)] |
|
|
|
|
http-request set-header X-ASN %[var(req.asn)] |
|
|
|
|
|
|
|
|
|
# drop requests with invalid host header |
|
|
|
|
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found |
|
|
|
@ -68,11 +70,14 @@ frontend http-in |
|
|
|
|
# debug information at /.basedflare/cgi/trace |
|
|
|
|
http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace } |
|
|
|
|
|
|
|
|
|
# acl for blocked IPs/subnets |
|
|
|
|
acl found_in_blocked_map src,map_ip(/etc/haproxy/map/blocked.map) -m found |
|
|
|
|
acl blocked_ip_or_subnet var(txn.blocked_ip_or_subnet) -m bool |
|
|
|
|
http-request lua.set-ip-var "blocked" "txn.blocked_ip_or_subnet" if found_in_blocked_map |
|
|
|
|
http-request deny deny_status 403 if blocked_ip_or_subnet |
|
|
|
|
# acl for blocked IPs/subnets/ASN |
|
|
|
|
http-request lua.set-lang-json |
|
|
|
|
acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found |
|
|
|
|
acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found |
|
|
|
|
acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool |
|
|
|
|
http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map |
|
|
|
|
http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map |
|
|
|
|
http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn |
|
|
|
|
|
|
|
|
|
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this. |
|
|
|
|
http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST } |
|
|
|
@ -82,7 +87,7 @@ frontend http-in |
|
|
|
|
# acl for lua check whitelisted IPs/subnets and some excluded paths |
|
|
|
|
acl found_in_whitelist_map src,map_ip(/etc/haproxy/map/whitelist.map) -m found |
|
|
|
|
acl is_excluded var(txn.whitelist_ip_or_subnet) -m bool |
|
|
|
|
http-request lua.set-ip-var "whitelist" "txn.whitelist_ip_or_subnet" if found_in_whitelist_map |
|
|
|
|
http-request lua.set-ip-var whitelist txn.whitelist_ip_or_subnet ip if found_in_whitelist_map |
|
|
|
|
acl is_excluded src -f /etc/haproxy/map/crawler-whitelist.map |
|
|
|
|
acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more |
|
|
|
|
|
|
|
|
@ -99,7 +104,7 @@ frontend http-in |
|
|
|
|
|
|
|
|
|
# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo) |
|
|
|
|
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found |
|
|
|
|
http-request lua.set-lang-json |
|
|
|
|
#http-request lua.set-lang-json |
|
|
|
|
http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode |
|
|
|
|
|
|
|
|
|
# rewrite specific domain+path to domain or domain+path |
|
|
|
|