From 25f702d15739c058fc24908288a52953b15405b7 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Sun, 28 Jan 2024 17:43:56 +1100
Subject: [PATCH] Add ACL so alt-svc header is only sent when geo continent not
 matching server env

---
 docker-compose.yml         | 1 +
 haproxy/haproxy.cfg        | 5 ++++-
 haproxy/map/alt-svc.map    | 1 +
 haproxy/map/blockedasn.map | 1 -
 haproxy/map/blockedcc.map  | 1 -
 5 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 3b448a3..f088049 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,6 +26,7 @@ services:
       # These are the hcaptcha and recaptcha test keys, not leaking any dont worry :^)
       - HAPROXY_MAXCONN=5000
       - HAPROXY_CACHE_MB=500
+      - HAPROXY_CONTINENT=OC
       - HCAPTCHA_SITEKEY=20000000-ffff-ffff-ffff-000000000002
       - HCAPTCHA_SECRET=0x0000000000000000000000000000000000000000
       #- RECAPTCHA_SECRET=6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe
diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
index 70bb88e..e1d6a83 100644
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -142,7 +142,10 @@ frontend http-in
 	acl can_cache var(txn.path) -i -m end .png .jpg .jpeg .jpe .ico .webmanifest .xml .apng .bmp .webp .pjpeg .jfif .gif .mp4 .webm .mov .mkv .svg .m4a .aac .flac .mp3 .ogg .wav .opus .txt .pdf .sid
 
 	# optional alt-svc header (done after cache so not set in cached responses
-	# http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
+	acl match_server_continent var(txn.xcn) -m str "${HAPROXY_CONTINENT}"
+	http-response set-header X-Server-CN "${HAPROXY_CONTINENT}"
+	http-response set-header X-User-CN %[var(txn.xcn)]
+	http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)] if !match_server_continent
 
 	# header checks for no caching
 	# acl auth_cookie_set res.hdr(Set-Cookie),lower -m found
diff --git a/haproxy/map/alt-svc.map b/haproxy/map/alt-svc.map
index 24f17ef..aee7e00 100644
--- a/haproxy/map/alt-svc.map
+++ b/haproxy/map/alt-svc.map
@@ -1,2 +1,3 @@
 EU h2="eur-hostname.com:443";
 NA h2="usa-hostname.com:443";
+OC h2="oce-hostname.com:443";
diff --git a/haproxy/map/blockedasn.map b/haproxy/map/blockedasn.map
index 384d0a0..e69de29 100644
--- a/haproxy/map/blockedasn.map
+++ b/haproxy/map/blockedasn.map
@@ -1 +0,0 @@
-#12345 admin:asdf
diff --git a/haproxy/map/blockedcc.map b/haproxy/map/blockedcc.map
index 3b41c15..e69de29 100644
--- a/haproxy/map/blockedcc.map
+++ b/haproxy/map/blockedcc.map
@@ -1 +0,0 @@
-AU admin