Revert dockerfile because 2.8 and http/3 still has some issues with lua

docker-compose.yml

@@ -5,12 +5,14 @@ services:
     network_mode: host
     ports:
       - 80:80
+      - 443:80
       - 2001:2001 #dataplaneapi
     build:
       context: ./
       dockerfile: haproxy/Dockerfile
     volumes:
       - ./haproxy/haproxy.cfg:/etc/haproxy/haproxy.cfg
+      - ./haproxy/haproxy.pem:/etc/haproxy/certs/haproxy.pem
       - ./haproxy/dataplaneapi.hcl:/etc/haproxy/dataplaneapi.hcl
       - ./haproxy/errors/:/etc/haproxy/errors/
       - ./haproxy/map/:/etc/haproxy/map/
@@ -39,12 +41,12 @@ services:
       - POW_TYPE=argon2
       - TOR_CONTROL_PORT_PASSWORD=changeme
 
-  # nginx:
-    # ports:
-      # - 81:80
-    # image: "nginx:latest"
-    # volumes:
-      # - ./nginx:/usr/share/nginx/html
+  nginx:
+    ports:
+      - 81:80
+    image: "nginx:latest"
+    volumes:
+      - ./nginx:/usr/share/nginx/html
 
 #  tor:
 #    build:

haproxy/haproxy.cfg

@@ -47,6 +47,9 @@ frontend http-in
 
 	# Clearnet http (you'll have to figure out https yourself)
 	bind *:80
+	# bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h3,h2,http/1.1
+	# bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem
+	# http-response set-header alt-svc "h3=\":443\";ma=900;"
 
 	# Or instead, for Tor, to use circuit IDs as "IP":
 	#bind 127.0.0.1:80 accept-proxy
@@ -71,13 +74,13 @@ frontend http-in
 
 	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
 	http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }
-	http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 }
-	http-request tarpit if { sc_http_req_rate(0) gt 1 }
+	# http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 }
+	# http-request tarpit if { sc_http_req_rate(0) gt 1 }
 
 	# acl for lua check whitelisted IPs/subnets and some excluded paths
 	acl is_excluded src,map_ip(/etc/haproxy/map/whitelist.map) -m found
-	acl is_excluded src -m found -f /etc/haproxy/map/crawler-whitelist.map
-	acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
+	# acl is_excluded src -m found -f /etc/haproxy/map/crawler-whitelist.map
+	# acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
 
 	# acl ORs for when ddos_mode_enabled
 	acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found
@@ -126,7 +129,7 @@ frontend http-in
 	acl can_cache var(txn.path) -i -m end .png .jpg .jpeg .jpe .ico .webmanifest .xml .apng .bmp .webp .pjpeg .jfif .gif .mp4 .webm .mov .mkv .svg .m4a .aac .flac .mp3 .ogg .wav .opus .txt .pdf .sid
 
 	# optional alt-svc header (done after cache so not set in cached responses
-	http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
+	# http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
 
 	# header checks for no caching
 	# acl auth_cookie_set res.hdr(Set-Cookie),lower -m found

haproxy/map/ddos.map

@@ -1,2 +1,4 @@
 127.0.0.1 1
 127.0.0.1/captcha 2
+localhost 1
+localhost/captcha 2

haproxy/map/ddos_config.map

@@ -1 +1,2 @@
-127.0.0.1 {"pd":"argon2","pt":23,"cip":false,"cex":43200}
+127.0.0.1 {"pd":23,"pt":"argon2","cip":false,"cex":43200}
+localhost {"pd":23,"pt":"argon2","cip":false,"cex":43200}

haproxy/map/hosts.map

@@ -1 +1,2 @@
 127.0.0.1 127.0.0.1:81
+localhost 127.0.0.1:81