haproxy 2.8 dockerfile, remove testing cert, change ddos map for json testing

docker-compose.yml

@@ -12,7 +12,6 @@ services:
       dockerfile: haproxy/Dockerfile
     volumes:
       - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
-      - ./haproxy/haproxy.pem:/etc/haproxy/certs/haproxy.pem
       - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl
       - ./haproxy/errors/:/etc/haproxy/errors/
       - ./haproxy/map/:/etc/haproxy/map/

haproxy/Dockerfile

@@ -18,7 +18,7 @@ RUN set -eux; \
 		--uid 99 \
 		haproxy
 
-ENV HAPROXY_URL http://www.haproxy.org/download/2.7/src/snapshot/haproxy-ss-LATEST.tar.gz
+ENV HAPROXY_URL http://www.haproxy.org/download/2.8/src/snapshot/haproxy-ss-LATEST.tar.gz
 ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/download/v2.7.5/dataplaneapi_2.7.5_Linux_x86_64.tar.gz
 
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments

haproxy/haproxy.cfg

@@ -84,8 +84,8 @@ frontend http-in
 
 	# acl ORs for when ddos_mode_enabled
 	acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found
-	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m bool
-	acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool
+	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m found
+	acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m found
 
 	# serve challenge page scripts directly from haproxy
 	http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/auto.min.js }

haproxy/map/crawler-whitelist.map

@@ -1,2 +0,0 @@
-#127.0.0.1/24
-#10.0.0.0/24

haproxy/map/ddos.map

@@ -1,4 +1,12 @@
-127.0.0.1 1
-127.0.0.1/captcha 2
-localhost 1
-localhost/captcha 2
+127.0.0.1/0 {"m":0,"t":true}
+127.0.0.1/0f {"m":0,"t":false}
+127.0.0.1/0n {"m":0}
+127.0.0.1/1 {"m":1,"t":true}
+127.0.0.1/1f {"m":1,"t":false}
+127.0.0.1/1n {"m":1}
+127.0.0.1/2 {"m":2,"t":true}
+127.0.0.1/2f {"m":2,"t":false}
+127.0.0.1/2n {"m":2}
+127.0.0.1/captcha {"m":2}
+localhost {"m":1}
+localhost/captcha {"m":2}

src/lua/scripts/bot-check.lua

@@ -53,7 +53,7 @@ local pow_cookie_secret = os.getenv("POW_COOKIE_SECRET")
 local hmac_cookie_secret = os.getenv("HMAC_COOKIE_SECRET")
 local ray_id = os.getenv("RAY_ID")
 -- load captcha map and set hcaptcha/recaptch based off env vars
-local captcha_map = Map.new("/etc/haproxy/map/ddos.map", Map._str);
+local ddos_map = Map.new("/etc/haproxy/map/ddos.map", Map._str);
 local captcha_provider_domain = ""
 local captcha_classname = ""
 local captcha_script_src = ""
@@ -156,10 +156,12 @@ function _M.view(applet)
 		local captcha_enabled = false
 		local path = applet.qs; --because on /.basedflare/bot-check?/whatever, .qs (query string) holds the "path"
 
-		local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0
-		captcha_map_lookup = tonumber(captcha_map_lookup)
-		if captcha_map_lookup == 2 then
-			captcha_enabled = true
+		local ddos_map_lookup = ddos_map:lookup(host..path) or ddos_map:lookup(host)
+		if ddos_map_lookup ~= nil then
+			ddos_map_json = json.decode(ddos_map_lookup)
+			if ddos_map_json.m == 2 then
+				captcha_enabled = true
+			end
 		end
 
 		-- return simple json if they send accept: application/json header
@@ -412,15 +414,20 @@ end
 function _M.decide_checks_necessary(txn)
 	local host = txn.sf:hdr("Host")
 	local path = txn.sf:path();
-	local captcha_map_lookup = captcha_map:lookup(host..path) or captcha_map:lookup(host) or 0
-	captcha_map_lookup = tonumber(captcha_map_lookup)
-	if captcha_map_lookup == 1 then
-		txn:set_var("txn.validate_pow", true)
-	elseif captcha_map_lookup == 2 then
-		txn:set_var("txn.validate_captcha", true)
-		txn:set_var("txn.validate_pow", true)
+	local ddos_map_lookup = ddos_map:lookup(host..path) or ddos_map:lookup(host)
+	if ddos_map_lookup ~= nil then
+		ddos_map_json = json.decode(ddos_map_lookup)
+		if ddos_map_json.m == 0
+			or (ddos_map_json.t == true and txn.sf:hdr("X-Country-Code") ~= "T1") then
+			return
+		elseif ddos_map_json.m == 1 then
+			txn:set_var("txn.validate_pow", true)
+		elseif ddos_map_json.m == 2 then
+			txn:set_var("txn.validate_pow", true)
+			txn:set_var("txn.validate_captcha", true)
+		end
 	end
-	-- otherwise, domain+path was set to 0 (whitelist) or there is no entry in the map
+	-- no entry in the map
 end
 
 -- check if captcha cookie is valid, separate secret from POW