From 93c01c05c5515ea84bd7119086680525ecaf6f96 Mon Sep 17 00:00:00 2001
From: Thomas Lynch <tom@69420.me>
Date: Wed, 19 Apr 2023 21:03:46 +1000
Subject: [PATCH] Update redirect to new redirect and rewrite Add example geoip
 config Add example alt-svc config Update README

---
 README.md                |  4 +++-
 haproxy/haproxy.cfg      | 32 ++++++++++++++++++++++----------
 haproxy/map/alt-svc.map  |  2 ++
 haproxy/map/cctocn.map   |  1 +
 haproxy/map/geoip.map    |  1 +
 haproxy/map/redirect.map |  0
 6 files changed, 29 insertions(+), 11 deletions(-)
 create mode 100644 haproxy/map/alt-svc.map
 create mode 100644 haproxy/map/cctocn.map
 create mode 100644 haproxy/map/geoip.map
 create mode 100644 haproxy/map/redirect.map

diff --git a/README.md b/README.md
index 26944ec..db13342 100644
--- a/README.md
+++ b/README.md
@@ -20,8 +20,10 @@ Originally inspired by a proof of concept from https://github.com/mora9715/hapro
 - Improved the appearance of the challenge page.
 - Add several useful maps & acls to the haproxy config:
   - Whitelist or blacklist IPs/subnets.
-  - Simple redirect/rewrite map for domains.
+  - Rerwite/redirect specific paths or whole domains.
   - Maintenance mode page for selected domains.
+- Geoip mapping support for alt-svc headers.
+- Support simple load balancing to multiple backends per domain dynamically.
 - Fix multiple security issues.
 - Many bugfixes.
 
diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
index 4b92d59..aeca97b 100644
--- a/haproxy/haproxy.cfg
+++ b/haproxy/haproxy.cfg
@@ -44,6 +44,12 @@ frontend http-in
 	#bind 127.0.0.1:80 accept-proxy
 	#option forwardfor
 
+	# optional geoip handling (maps required) and alt-svc header addition
+	# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
+	# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
+	# http-request set-header X-Country-Code %[var(req.xcc)]
+	# http-request set-header X-Continent-Code %[var(txn.xcn)]
+
 	# drop requests with invalid host header
 	acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
 	http-request silent-drop unless is_existing_vhost
@@ -70,17 +76,20 @@ frontend http-in
 	acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m bool
 
 	# serve challenge page scripts directly from haproxy
-	http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=3600" if { path /.basedflare/js/auto.min.js }
-	http-request return file /etc/haproxy/js/argon2.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=3600" if { path /.basedflare/js/argon2.min.js }
-	http-request return file /etc/haproxy/js/challenge.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=3600" if { path /.basedflare/js/challenge.min.js }
-	http-request return file /etc/haproxy/js/worker.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=3600" if { path /.basedflare/js/worker.min.js }
+	http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=86400" if { path /.basedflare/js/auto.min.js }
+	http-request return file /etc/haproxy/js/argon2.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=86400" if { path /.basedflare/js/argon2.min.js }
+	http-request return file /etc/haproxy/js/challenge.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=86400" if { path /.basedflare/js/challenge.min.js }
+	http-request return file /etc/haproxy/js/worker.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "cache-control" "public, max-age=86400" if { path /.basedflare/js/worker.min.js }
 
 	# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
 	acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
 	http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "cache-control" "private, max-age=30" if maintenance_mode
 
-	# map if you want a domain to be a redirect from the edge (302 for now)
-	http-request redirect location https://%[hdr(host),map(/etc/haproxy/map/rewrite.map)]%[capture.req.uri] code 302 if { hdr(host),map(/etc/haproxy/map/rewrite.map) -i -m found }
+	# rewrite specific domain+path to domain or domain+path
+	http-request redirect location https://%[base,map(/etc/haproxy/map/rewrite.map)] code 302 if { base,map(/etc/haproxy/map/rewrite.map) -i -m found }
+
+	# redirect domain to domain or domain+path
+	http-request redirect location https://%[hdr(host),map(/etc/haproxy/map/redirect.map)] code 302 if { hdr(host),map(/etc/haproxy/map/redirect.map) -i -m found }
 
 	# create acl for bools updated by lua
 	acl captcha_passed var(txn.captcha_passed) -m bool
@@ -108,6 +117,9 @@ frontend http-in
 	http-request cache-use basic_cache if can_cache
 	http-response cache-store basic_cache if can_cache
 
+	# optional alt-svc header (done after cache so not set in cached responses
+	http-response set-header Alt-Svc %[var(txn.xcn),map(/etc/haproxy/map/alt-svc.map)]
+
 	default_backend servers
 
 cache basic_cache
@@ -117,11 +129,11 @@ cache basic_cache
 
 backend servers
 	balance leastconn
-	# optional (recommended) ssl, requires CA cert installed on proxy and signeed cert on backends, you can also use "ssl verify none" but ssl can then be trivially mitm'd
-	# default-server ssl verify required ca-file ca-certificates.crt sni req.hdr(Host)
-	# use server based on hostname
+
+	# old method, only supports single backend per host/domain
 	#use-server %[req.hdr(host),lower,map(/etc/haproxy/map/backends.map)] if TRUE
-	# use multiple servers with lua
+
+	# new method, load balance to multiple servers with lua
 	use-server %[lua.get_server_names] if TRUE
 
 backend bot_check_post_throttle
diff --git a/haproxy/map/alt-svc.map b/haproxy/map/alt-svc.map
new file mode 100644
index 0000000..24f17ef
--- /dev/null
+++ b/haproxy/map/alt-svc.map
@@ -0,0 +1,2 @@
+EU h2="eur-hostname.com:443";
+NA h2="usa-hostname.com:443";
diff --git a/haproxy/map/cctocn.map b/haproxy/map/cctocn.map
new file mode 100644
index 0000000..2a40f1e
--- /dev/null
+++ b/haproxy/map/cctocn.map
@@ -0,0 +1 @@
+XX ZZ
diff --git a/haproxy/map/geoip.map b/haproxy/map/geoip.map
new file mode 100644
index 0000000..fcf291f
--- /dev/null
+++ b/haproxy/map/geoip.map
@@ -0,0 +1 @@
+1.2.3.4/24 XX
diff --git a/haproxy/map/redirect.map b/haproxy/map/redirect.map
new file mode 100644
index 0000000..e69de29