Add geo blocking for country and continent, changes get_ip_var lua script section to use two tables

haproxy/haproxy.cfg

@@ -56,11 +56,11 @@ frontend http-in
 	#option forwardfor
 
 	# optional geoip handling (maps required) and alt-svc header addition
-	# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
+	http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
 	http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
-	# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
-	# http-request set-header X-Country-Code %[var(req.xcc)]
-	# http-request set-header X-Continent-Code %[var(txn.xcn)]
+	http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
+	http-request set-header X-Country-Code %[var(req.xcc)]
+	http-request set-header X-Continent-Code %[var(txn.xcn)]
 	http-request set-header X-ASN %[var(req.asn)]
 
 	# drop requests with invalid host header
@@ -70,14 +70,18 @@ frontend http-in
 	# debug information at /.basedflare/cgi/trace
 	http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
 
-	# acl for blocked IPs/subnets/ASN
+	# acl for blocked IPs/subnets/ASN/country
 	http-request lua.set-lang-json
 	acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found
 	acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found
-	acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool
-	http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map
-	http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map
-	http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn
+	acl found_in_blockedcc_map var(req.xcc),map(/etc/haproxy/map/blockedcc.map) -m found
+	acl found_in_blockedcn_map var(txn.xcn),map(/etc/haproxy/map/blockedcn.map) -m found
+	acl blocked_bool var(txn.blocked_bool) -m bool
+	http-request lua.set-ip-var blockedip txn.blocked_bool ip if found_in_blockedip_map
+	http-request lua.set-ip-var blockedasn txn.blocked_bool asn if found_in_blockedasn_map
+	http-request lua.set-ip-var blockedcc txn.blocked_bool cc if found_in_blockedcc_map
+	http-request lua.set-ip-var blockedcn txn.blocked_bool cn if found_in_blockedcn_map
+	http-request deny deny_status 403 if blocked_bool
 
 	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
 	http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }

haproxy/map/blockedasn.map

@@ -1 +1 @@
-12345 admin:asdf
+#12345 admin:asdf

haproxy/map/blockedcc.map

@@ -0,0 +1 @@
+AU admin

haproxy/map/cctocn.map

@@ -1 +1 @@
-XX ZZ
+AU OC

haproxy/map/geoip.map

@@ -1 +1 @@
-1.2.3.4/24 XX
+0.0.0.0/0 AU