From 76e9cad8a88a695ae5aab5880baf21a6e8336f2a Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Mon, 25 Apr 2022 01:07:57 +1000
Subject: [PATCH] add map for whitelisting ip/subnets. also cleanup the config
 a bit.

---
 haproxy/haproxy.cfg   | 27 ++++++++++++++++-----------
 haproxy/whitelist.map |  0
 2 files changed, 16 insertions(+), 11 deletions(-)
 create mode 100644 haproxy/whitelist.map

diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
index 2daef8e..bac0583 100644
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -19,43 +19,48 @@ program api
 frontend http-in
 	bind *:80
 
+	# drop requests with invalid host header
 	acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/hosts.map) -m found
 	http-request silent-drop unless is_existing_vhost
 
-	#debug only, /cdn-cgi/trace
+	# debug only, /cdn-cgi/trace
 	#http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/trace.txt if { path /cdn-cgi/trace }
 
 	# acl for blocked IPs/subnets
 	acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/blocked.map) -m found
 	http-request deny deny_status 403 if blocked_ip_or_subnet
 
+	# acl for lua check whitelisted IPs/subnets and some excluded paths
+	acl is_excluded src,map_ip(/etc/haproxy/whitelist.map) -m found
+	acl is_excluded path /favicon.ico #add more
+
 	# acl ORs for when ddos_mode_enabled
-	acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0 # note: global only enables POW not captcha atm until
+	acl ddos_mode_enabled_override hdr_cnt(xr3la1rfFc) eq 0
 	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/ddos.map) -m bool
 	acl ddos_mode_enabled base,map(/etc/haproxy/ddos.map) -m bool
 
+	# serve challenge page scripts directly from haproxy
+	acl is_sha1_js path /js/sha1.js
+	acl is_worker_js path /js/worker.js
+	http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
+	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
+
 	# create acl for bools updated by lua
 	acl captcha_passed var(txn.captcha_passed) -m bool
 	acl pow_passed var(txn.pow_passed) -m bool
 	acl validate_captcha var(txn.validate_captcha) -m bool
 	acl validate_pow var(txn.validate_pow) -m bool
 
-	# define excluded paths, and serve script files directly in haproxy
-	acl is_excluded path /favicon.ico
-	acl is_sha1_js path /js/sha1.js
-	acl is_worker_js path /js/worker.js
-	http-request return file /var/www/js/sha1.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_sha1_js
-	http-request return file /var/www/js/worker.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=300" if is_worker_js
-
 	# check pow/captcha and show page if necessary
 	acl on_captcha_url path /bot-check
 	http-request use-service lua.hcaptcha-view	if on_captcha_url !is_excluded
-	http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
+	http-request lua.decide-checks-necessary if !is_excluded !on_captcha_url ddos_mode_enabled
+	# global override enabled pow-check only, uncomment the OR to also do hcaptcha-check
 	http-request lua.hcaptcha-check          if !is_excluded !on_captcha_url validate_captcha #OR !is_excluded !on_captcha_url ddos_mode_enabled_override
 	http-request lua.pow-check          if !is_excluded !on_captcha_url validate_pow OR !is_excluded !on_captcha_url ddos_mode_enabled_override
 	http-request redirect location /bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_captcha_url ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_captcha_url ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_captcha_url !is_excluded
 
-	##### X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
+	# X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
 	http-response set-header X-Cache-Status HIT if !{ srv_id -m found }
 	http-response set-header X-Cache-Status MISS if { srv_id -m found }
 
diff --git a/haproxy/whitelist.map b/haproxy/whitelist.map
new file mode 100644
index 0000000..e69de29