Add custom tfp example for writing custom case scripts, todo make not apply only to captcha

haproxy/Dockerfile

@@ -18,7 +18,7 @@ RUN set -eux; \
 		--uid 99 \
 		haproxy
 
-ENV HAPROXY_URL http://www.haproxy.org/download/3.0/src/snapshot/haproxy-ss-LATEST.tar.gz
+ENV HAPROXY_URL http://www.haproxy.org/download/3.1/src/snapshot/haproxy-ss-LATEST.tar.gz
 ENV DATAPLANEAPI_URL https://github.com/haproxytech/dataplaneapi/releases/download/v2.7.5/dataplaneapi_2.7.5_Linux_x86_64.tar.gz
 
 # see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments

haproxy/haproxy.cfg

@@ -6,12 +6,15 @@ global
 	maxconn "${HAPROXY_MAXCONN}"
 	log stdout  format raw  local0  debug
 	lua-load /etc/haproxy/scripts/register-servers.lua
+	lua-load-per-thread /etc/haproxy/scripts/tfp.lua
 	lua-load-per-thread /etc/haproxy/scripts/register-bot-check.lua
 	stats socket /var/run/haproxy.sock mode 666 level admin
 	stats socket 127.0.0.1:1999 level admin
 	httpclient.ssl.verify none
 	# Allow larger buffer size for return-file of argon scripts
 	tune.bufsize 51200
+	expose-deprecated-directives
+	tune.ssl.capture-buffer-size 200
 
 defaults
 	log global
@@ -51,7 +54,7 @@ frontend http-in
 
 	# Clearnet http (you'll have to figure out https yourself)
 	bind *:80
-	# bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h3,h2,http/1.1
+	bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem alpn h2,http/1.1
 	# bind quic4@*:443 ssl crt /etc/haproxy/certs/haproxy.pem
 	# http-response set-header alt-svc "h3=\":443\";ma=900;"
 
@@ -59,9 +62,12 @@ frontend http-in
 	# bind 127.0.0.1:80 accept-proxy
 	option forwardfor
 
+	# tfp lua dev test
+	http-request lua.set_tfp
+
 	# custom log format
-	log-format "{\"cc\":%{+Q}[capture.req.hdr(1)],\"cip\":\"%ci\",\"cp\":\"%cp\",\"hh\":%{+Q}[capture.req.hdr(0)],\"backend\":\"%b\",\"server\":\"%s\",\"timers\":\"%TR/%Tw/%Tc/%Tr/%Ta\",\"status\":\"%ST\",\"bytes\":\"%B\",\"bs\":\"%U\",\"conns\":\"%ac/%fc/%bc/%sc/%rc\",\"q\":\"%sq/%bq\",\"req\":%{+Q,+E}r,\"GeoIP_Source\":\"GeoIP_Source=%ci\"}"
- 
+	log-format "{\"cc\":%{+Q}[capture.req.hdr(1)],\"tp\":%{+Q}[var(txn.fp_custom)],\"cip\":\"%ci\",\"cp\":\"%cp\",\"hh\":%{+Q}[capture.req.hdr(0)],\"backend\":\"%b\",\"server\":\"%s\",\"timers\":\"%TR/%Tw/%Tc/%Tr/%Ta\",\"status\":\"%ST\",\"bytes\":\"%B\",\"bs\":\"%U\",\"conns\":\"%ac/%fc/%bc/%sc/%rc\",\"q\":\"%sq/%bq\",\"req\":%{+Q,+E}r,\"GeoIP_Source\":\"GeoIP_Source=%ci\"}"
+
 	# optional geoip handling (maps required) and alt-svc header addition
 	http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
 	http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
@@ -169,7 +175,7 @@ backend haproxy-to-varnish-cache
 
 backend servers
 	balance roundrobin
-	default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host) check observe layer4 inter 30
+	default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host) check observe layer4 inter 30s
 	use-server %[lua.get_server_names] if TRUE
 
 backend bot_check_post_throttle

haproxy/map/bfp.map

@@ -0,0 +1 @@
+#

haproxy/map/ddos.map

@@ -0,0 +1 @@
+localhost {"m":0,"t":false}

haproxy/map/ddos_config.map

@@ -1 +1 @@
-localhost {"pd":27,"pt":"sha256","cex":999,"cip":false,"js":true}
+localhost {"pd":21,"pt":"sha256","cex":999,"cip":true,"js":true}

haproxy/map/lfp.map

@@ -0,0 +1 @@
+#