ne wjson map format for excluding exits

haproxy/haproxy.cfg

@@ -84,8 +84,8 @@ frontend http-in
 
 	# acl ORs for when ddos_mode_enabled
 	acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found
-	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m bool
-	acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool
+	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m found
+	acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m found
 
 	# serve challenge page scripts directly from haproxy
 	http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/auto.min.js }

haproxy/map/crawler-whitelist.map

@@ -1,2 +0,0 @@
-#127.0.0.1/24
-#10.0.0.0/24

haproxy/map/ddos.map

@@ -1,4 +1,4 @@
-127.0.0.1 1
-127.0.0.1/captcha 2
-localhost 1
-localhost/captcha 2
+127.0.0.1 {"m":1,"t":true}
+127.0.0.1/captcha {"m":2}
+localhost {"m":1}
+localhost/captcha {"m":2}

src/lua/scripts/bot-check.lua

@@ -53,7 +53,7 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
 local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET")
 local ray_id = os.getenv("RAY_ID")
 -- load captcha map and set hcaptcha/recaptch based off env vars
-local captcha_map = Map.new("/etc/haproxy/map/ddos.map", Map._str);
+local ddos_map = Map.new("/etc/haproxy/map/ddos.map", Map._str);
 local captcha_provider_domain = ""
 local captcha_classname = ""
 local captcha_script_src = ""
@@ -156,10 +156,12 @@ function _M.view(applet)
 		local captcha_enabled = false
 		local path = applet.qs; --because on /.basedflare/bot-check?/whatever, .qs (query string) holds the "path"
 
-		local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0
-		captcha_map_lookup = tonumber(captcha_map_lookup)
-		if captcha_map_lookup == 2 then
-			captcha_enabled = true
+		local ddos_map_lookup = ddos_map:lookup(host..path) or ddos_map:lookup(host)
+		if ddos_map_lookup ~= nil then
+			ddos_map_json = json.decode(ddos_map_lookup)
+			if ddos_map_json.m == 2 then
+				captcha_enabled = true
+			end
 		end
 
 		-- return simple json if they send accept: application/json header
@@ -412,15 +414,20 @@ end
 function _M.decide_checks_necessary(txn)
 	local host = txn.sf:hdr("Host")
 	local path = txn.sf:path();
-	local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0
-	captcha_map_lookup = tonumber(captcha_map_lookup)
-	if captcha_map_lookup == 1 then
-		txn:set_var("txn.validate_pow", true)
-	elseif captcha_map_lookup == 2 then
-		txn:set_var("txn.validate_captcha", true)
-		txn:set_var("txn.validate_pow", true)
+	local ddos_map_lookup = ddos_map:lookup(host..path) or ddos_map:lookup(host)
+	if ddos_map_lookup ~= nil then
+		ddos_map_json = json.decode(ddos_map_lookup)
+		if ddos_map_json.m == 0
+			or (ddos_map_json.t == true and txn.sf:hdr("X-Country-Code") ~= "T1") then
+			return
+		elseif ddos_map_json.m == 1 then
+			txn:set_var("txn.validate_pow", true)
+		elseif ddos_map_json.m == 2 then
+			txn:set_var("txn.validate_pow", true)
+			txn:set_var("txn.validate_captcha", true)
+		end
 	end
-	-- otherwise, domain+path was set to 0 (whitelist) or there is no entry in the map
+	-- no entry in the map
 end
 
 -- check if captcha cookie is valid, separate secret from POW