Add geo blocking for country and continent, changes get_ip_var lua script section to use two tables

2025-05-09 02:05:37 +00:00 · 2023-10-15 18:13:52 +11:00
parent 2f9823bf51
commit 1dd69fd924
7 changed files with 38 additions and 20 deletions
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@ -56,11 +56,11 @@ frontend http-in
 	#option forwardfor

 	# optional geoip handling (maps required) and alt-svc header addition
-	# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
+	http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
 	http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
-	# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
-	# http-request set-header X-Country-Code %[var(req.xcc)]
-	# http-request set-header X-Continent-Code %[var(txn.xcn)]
+	http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
+	http-request set-header X-Country-Code %[var(req.xcc)]
+	http-request set-header X-Continent-Code %[var(txn.xcn)]
 	http-request set-header X-ASN %[var(req.asn)]

 	# drop requests with invalid host header
@ -70,14 +70,18 @@ frontend http-in
 	# debug information at /.basedflare/cgi/trace
 	http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }

-	# acl for blocked IPs/subnets/ASN
+	# acl for blocked IPs/subnets/ASN/country
 	http-request lua.set-lang-json
 	acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found
 	acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found
-	acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool
-	http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map
-	http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map
-	http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn
+	acl found_in_blockedcc_map var(req.xcc),map(/etc/haproxy/map/blockedcc.map) -m found
+	acl found_in_blockedcn_map var(txn.xcn),map(/etc/haproxy/map/blockedcn.map) -m found
+	acl blocked_bool var(txn.blocked_bool) -m bool
+	http-request lua.set-ip-var blockedip txn.blocked_bool ip if found_in_blockedip_map
+	http-request lua.set-ip-var blockedasn txn.blocked_bool asn if found_in_blockedasn_map
+	http-request lua.set-ip-var blockedcc txn.blocked_bool cc if found_in_blockedcc_map
+	http-request lua.set-ip-var blockedcn txn.blocked_bool cn if found_in_blockedcn_map
+	http-request deny deny_status 403 if blocked_bool

 	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
 	http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }
--- a/haproxy/map/blockedasn.map
+++ b/haproxy/map/blockedasn.map
@ -1 +1 @@
-12345 admin:asdf
+#12345 admin:asdf
--- a/haproxy/map/blockedcc.map
+++ b/haproxy/map/blockedcc.map
@ -0,0 +1 @@
+AU admin
--- a/haproxy/map/blockedcn.map
+++ b/haproxy/map/blockedcn.map
--- a/haproxy/map/cctocn.map
+++ b/haproxy/map/cctocn.map
@ -1 +1 @@
-XX ZZ
+AU OC
--- a/haproxy/map/geoip.map
+++ b/haproxy/map/geoip.map
@ -1 +1 @@
-1.2.3.4/24 XX
+0.0.0.0/0 AU
--- a/src/lua/scripts/bot-check.lua
+++ b/src/lua/scripts/bot-check.lua
@ -413,30 +413,43 @@ end
 -- set a variable if ip or subnet in blocked/whitelist map and list of usernames matches the one for the current domain
 local blockedip_map = Map.new("/etc/haproxy/map/blockedip.map", Map._ip);
 local blockedasn_map = Map.new("/etc/haproxy/map/blockedasn.map", Map._str);
+local blockedcc_map = Map.new("/etc/haproxy/map/blockedcc.map", Map._str);
+local blockedcn_map = Map.new("/etc/haproxy/map/blockedcn.map", Map._str);
 local whitelist_map = Map.new("/etc/haproxy/map/whitelist.map", Map._ip);
 local accounts_map = Map.new("/etc/haproxy/map/domtoacc.map", Map._str);
-local maps_map = {
+local maps_tbl = {
 	["blockedip"] = blockedip_map,
 	["blockedasn"] = blockedasn_map,
+	["blockedcc"] = blockedcc_map,
+	["blockedcn"] = blockedcn_map,
 	["whitelist"] = whitelist_map,
 }
+local lookupvar_tbl = {
+	["ip"] = function(_txn)
+		return _txn.sf:src()
+	end,
+	["asn"] = function(_txn)
+		return _txn:get_var("req.asn")
+	end,
+	["cc"] = function(_txn)
+		return _txn:get_var("req.xcc")
+	end,
+	["cn"] = function(_txn)
+		return _txn:get_var("txn.xcn")
+	end,
+}
 function _M.set_ip_var(txn, map_name, set_variable, lookup_var)
 	-- get the host header and user ip
 	local host = txn.sf:hdr("Host")
 	-- choose lookup key
-	local lookup_key = nil
-	if lookup_var == "ip" then -- 1=ip
-		lookup_key = txn.sf:src()
-	elseif lookup_var == "asn" then -- 2=asn
-		lookup_key = txn:get_var("req.asn")
-	end
+	local lookup_key = lookupvar_tbl[lookup_var](txn)
 	-- if none return
 	if lookup_key == nil or host == nil then
 		return
 	end
 	-- get the name of current domain user, and the list
 	-- of names that have blocked this ip (in case multiple)
-	local names_list = maps_map[map_name]:lookup(lookup_key)
+	local names_list = maps_tbl[map_name]:lookup(lookup_key)
 	local current_name = accounts_map:lookup(string.lower(host))
 	if names_list == nil or current_name == nil then
 		return