diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index 2e2ab4f..b49a65d 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -56,11 +56,11 @@ frontend http-in #option forwardfor # optional geoip handling (maps required) and alt-svc header addition - # http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map) + http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map) http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map) - # http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map) - # http-request set-header X-Country-Code %[var(req.xcc)] - # http-request set-header X-Continent-Code %[var(txn.xcn)] + http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map) + http-request set-header X-Country-Code %[var(req.xcc)] + http-request set-header X-Continent-Code %[var(txn.xcn)] http-request set-header X-ASN %[var(req.asn)] # drop requests with invalid host header @@ -70,14 +70,18 @@ frontend http-in # debug information at /.basedflare/cgi/trace http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace } - # acl for blocked IPs/subnets/ASN + # acl for blocked IPs/subnets/ASN/country http-request lua.set-lang-json acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found - acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool - http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map - http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map - http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn + acl found_in_blockedcc_map var(req.xcc),map(/etc/haproxy/map/blockedcc.map) -m found + acl found_in_blockedcn_map var(txn.xcn),map(/etc/haproxy/map/blockedcn.map) -m found + acl blocked_bool var(txn.blocked_bool) -m bool + http-request lua.set-ip-var blockedip txn.blocked_bool ip if found_in_blockedip_map + http-request lua.set-ip-var blockedasn txn.blocked_bool asn if found_in_blockedasn_map + http-request lua.set-ip-var blockedcc txn.blocked_bool cc if found_in_blockedcc_map + http-request lua.set-ip-var blockedcn txn.blocked_bool cn if found_in_blockedcn_map + http-request deny deny_status 403 if blocked_bool # ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this. http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST } diff --git a/haproxy/map/blockedasn.map b/haproxy/map/blockedasn.map index b136f39..384d0a0 100644 --- a/haproxy/map/blockedasn.map +++ b/haproxy/map/blockedasn.map @@ -1 +1 @@ -12345 admin:asdf +#12345 admin:asdf diff --git a/haproxy/map/blockedcc.map b/haproxy/map/blockedcc.map new file mode 100644 index 0000000..3b41c15 --- /dev/null +++ b/haproxy/map/blockedcc.map @@ -0,0 +1 @@ +AU admin diff --git a/haproxy/map/blockedcn.map b/haproxy/map/blockedcn.map new file mode 100644 index 0000000..e69de29 diff --git a/haproxy/map/cctocn.map b/haproxy/map/cctocn.map index 2a40f1e..5595bfd 100644 --- a/haproxy/map/cctocn.map +++ b/haproxy/map/cctocn.map @@ -1 +1 @@ -XX ZZ +AU OC diff --git a/haproxy/map/geoip.map b/haproxy/map/geoip.map index fcf291f..291549c 100644 --- a/haproxy/map/geoip.map +++ b/haproxy/map/geoip.map @@ -1 +1 @@ -1.2.3.4/24 XX +0.0.0.0/0 AU diff --git a/src/lua/scripts/bot-check.lua b/src/lua/scripts/bot-check.lua index bf0c651..d76a56a 100644 --- a/src/lua/scripts/bot-check.lua +++ b/src/lua/scripts/bot-check.lua @@ -413,30 +413,43 @@ end -- set a variable if ip or subnet in blocked/whitelist map and list of usernames matches the one for the current domain local blockedip_map = Map.new("/etc/haproxy/map/blockedip.map", Map._ip); local blockedasn_map = Map.new("/etc/haproxy/map/blockedasn.map", Map._str); +local blockedcc_map = Map.new("/etc/haproxy/map/blockedcc.map", Map._str); +local blockedcn_map = Map.new("/etc/haproxy/map/blockedcn.map", Map._str); local whitelist_map = Map.new("/etc/haproxy/map/whitelist.map", Map._ip); local accounts_map = Map.new("/etc/haproxy/map/domtoacc.map", Map._str); -local maps_map = { +local maps_tbl = { ["blockedip"] = blockedip_map, ["blockedasn"] = blockedasn_map, + ["blockedcc"] = blockedcc_map, + ["blockedcn"] = blockedcn_map, ["whitelist"] = whitelist_map, } +local lookupvar_tbl = { + ["ip"] = function(_txn) + return _txn.sf:src() + end, + ["asn"] = function(_txn) + return _txn:get_var("req.asn") + end, + ["cc"] = function(_txn) + return _txn:get_var("req.xcc") + end, + ["cn"] = function(_txn) + return _txn:get_var("txn.xcn") + end, +} function _M.set_ip_var(txn, map_name, set_variable, lookup_var) -- get the host header and user ip local host = txn.sf:hdr("Host") -- choose lookup key - local lookup_key = nil - if lookup_var == "ip" then -- 1=ip - lookup_key = txn.sf:src() - elseif lookup_var == "asn" then -- 2=asn - lookup_key = txn:get_var("req.asn") - end + local lookup_key = lookupvar_tbl[lookup_var](txn) -- if none return if lookup_key == nil or host == nil then return end -- get the name of current domain user, and the list -- of names that have blocked this ip (in case multiple) - local names_list = maps_map[map_name]:lookup(lookup_key) + local names_list = maps_tbl[map_name]:lookup(lookup_key) local current_name = accounts_map:lookup(string.lower(host)) if names_list == nil or current_name == nil then return