improved, now handles domain OR path protection with 0, 1, 2 setting for none, pow, captcha

global override does POW only (for now --or can be easily changed for captcha+pow) until i make that customisable level too no more confusing inverted map use maps correctly as k:v cleaned up some stuff added comments
2025-05-09 02:05:37 +00:00 · 2021-12-04 21:42:27 +11:00
parent e6ed817746
commit 6f52ee8977
9 changed files with 70 additions and 87 deletions
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -4,6 +4,7 @@ global
 	log stdout  format raw  local0  debug
 	lua-load /etc/haproxy/scripts/register.lua
 	stats socket /var/run/haproxy.sock mode 666 level admin
+	stats socket *:2000 level operator

 defaults
 	mode http
@@ -14,29 +15,34 @@ defaults
 frontend http-in
 	bind *:80

-	acl ddos_mode_enabled hdr_cnt(xr3la1rfFc) eq 0
-	acl ddos_mode_enabled hdr(host) -i -f /etc/haproxy/ddos.map
-	# you can repeat this acl (which ORs them) to add more conditions where ddos_mode_enabled
+	acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
+	http-request silent-drop unless is_existing_vhost

-	# check captcha cookie
+	# acl ORs for when ddos_mode_enabled
+	acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0 # note: global only enables POW not captcha atm until
+	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/ddos.map) -m bool
+	acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool
+
+	# create acl for bools updated by lua
 	acl captcha_passed var(txn.captcha_passed) -m bool
-	acl captcha_passed hdr(host),map_str(/etc/haproxy/no_captcha.map) -m found
-	# check proof of work cookie
 	acl pow_passed var(txn.pow_passed) -m bool
+	acl validate_captcha var(txn.validate_captcha) -m bool
+	acl validate_pow var(txn.validate_pow) -m bool

-	# exclude favicon, and serve script files directly in haproxy
-	acl on_captcha_url path -m beg /bot-check
-	acl is_favicon path /favicon.ico
+	# define excluded paths, and serve script files directly in haproxy
+	acl is_excluded path /favicon.ico
 	acl is_sha1_js path /js/sha1.js
 	acl is_worker_js path /js/worker.js
 	http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
 	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js

 	# check pow/captcha and show page if necessary
-	http-request use-service lua.hcaptcha-view	if on_captcha_url !is_favicon
-	http-request lua.hcaptcha-check          if !is_favicon !on_captcha_url ddos_mode_enabled
-	http-request lua.pow-check          if !is_favicon !on_captcha_url ddos_mode_enabled
-	http-request redirect location /bot-check?%[capture.req.uri] code 302 if !captcha_passed !on_captcha_url ddos_mode_enabled !is_favicon OR !pow_passed !on_captcha_url ddos_mode_enabled !is_favicon
+	acl on_captcha_url path /bot-check
+	http-request use-service lua.hcaptcha-view	if on_captcha_url !is_excluded
+	http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
+	http-request lua.hcaptcha-check          if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
+	http-request lua.pow-check          if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
+	http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded

 	default_backend servers