Add custom tfp example for writing custom case scripts, todo make not apply only to captcha

This commit is contained in:
Thomas Lynch
2025-03-31 23:39:27 +11:00
parent 241c04a1b2
commit 455612e998
10 changed files with 36 additions and 7 deletions

View File

@@ -18,7 +18,7 @@ RUN set -eux; \
--uid 99 \
haproxy
ENV HAPROXY_URL http://www.haproxy.org/download/3.0/src/snapshot/haproxy-ss-LATEST.tar.gz
ENV HAPROXY_URL http://www.haproxy.org/download/3.1/src/snapshot/haproxy-ss-LATEST.tar.gz
ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/download/v2.7.5/dataplaneapi_2.7.5_Linux_x86_64.tar.gz
# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments

View File

@@ -6,12 +6,15 @@ global
maxconn "${HAPROXY_MAXCONN}"
log stdout format raw local0 debug
lua-load /etc/haproxy/scripts/register-servers.lua
lua-load-per-thread /etc/haproxy/scripts/tfp.lua
lua-load-per-thread /etc/haproxy/scripts/register-bot-check.lua
stats socket /var/run/haproxy.sock mode 666 level admin
stats socket 127.0.0.1:1999 level admin
httpclient.ssl.verify none
# Allow larger buffer size for return-file of argon scripts
tune.bufsize 51200
expose-deprecated-directives
tune.ssl.capture-buffer-size 200
defaults
log global
@@ -51,7 +54,7 @@ frontend http-in
# Clearnet http (you'll have to figure out https yourself)
bind *:80
# bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h3,h2,http/1.1
bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h2,http/1.1
# bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem
# http-response set-header alt-svc "h3=\":443\";ma=900;"
@@ -59,9 +62,12 @@ frontend http-in
# bind 127.0.0.1:80 accept-proxy
option forwardfor
# tfp lua dev test
http-request lua.set_tfp
# custom log format
log-format "{\"cc\":%{+Q}[capture.req.hdr(1)],\"cip\":\"%ci\",\"cp\":\"%cp\",\"hh\":%{+Q}[capture.req.hdr(0)],\"backend\":\"%b\",\"server\":\"%s\",\"timers\":\"%TR/%Tw/%Tc/%Tr/%Ta\",\"status\":\"%ST\",\"bytes\":\"%B\",\"bs\":\"%U\",\"conns\":\"%ac/%fc/%bc/%sc/%rc\",\"q\":\"%sq/%bq\",\"req\":%{+Q,+E}r,\"GeoIP_Source\":\"GeoIP_Source=%ci\"}"
log-format "{\"cc\":%{+Q}[capture.req.hdr(1)],\"tp\":%{+Q}[var(txn.fp_custom)],\"cip\":\"%ci\",\"cp\":\"%cp\",\"hh\":%{+Q}[capture.req.hdr(0)],\"backend\":\"%b\",\"server\":\"%s\",\"timers\":\"%TR/%Tw/%Tc/%Tr/%Ta\",\"status\":\"%ST\",\"bytes\":\"%B\",\"bs\":\"%U\",\"conns\":\"%ac/%fc/%bc/%sc/%rc\",\"q\":\"%sq/%bq\",\"req\":%{+Q,+E}r,\"GeoIP_Source\":\"GeoIP_Source=%ci\"}"
# optional geoip handling (maps required) and alt-svc header addition
http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
@@ -169,7 +175,7 @@ backend haproxy-to-varnish-cache
backend servers
balance roundrobin
default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host) check observe layer4 inter 30
default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host) check observe layer4 inter 30s
use-server %[lua.get_server_names] if TRUE
backend bot_check_post_throttle

1
haproxy/map/bfp.map Normal file
View File

@@ -0,0 +1 @@
#

View File

@@ -0,0 +1 @@
localhost {"m":0,"t":false}

View File

@@ -1 +1 @@
localhost {"pd":27,"pt":"sha256","cex":999,"cip":false,"js":true}
localhost {"pd":21,"pt":"sha256","cex":999,"cip":true,"js":true}

1
haproxy/map/lfp.map Normal file
View File

@@ -0,0 +1 @@
#