Make blocked and whitelist maps multi tenant

haproxy/dataplaneapi.hcl

@@ -1,39 +0,0 @@
-config_version = 2
-
-name = "basedflare"
-
-mode = "single"
-
-dataplaneapi {
-  host       = "127.0.0.1"
-  port       = 2001
-  advertised = {}
-
-  scheme = ["http"]
-
-  transaction {
-    transaction_dir = "/tmp/haproxy"
-  }
-
-  resources {
-    maps_dir      = "/etc/haproxy/map"
-    ssl_certs_dir = "/etc/haproxy/ssl"
-  }
-
-  user "admin" {
-    insecure = true
-    password = "admin"
-  }
-}
-
-haproxy {
-  config_file = "/etc/haproxy/haproxy.cfg"
-  haproxy_bin = "/usr/local/sbin/haproxy"
-
-  reload {
-    reload_delay    = 5
-    reload_cmd      = "service haproxy reload"
-    restart_cmd     = "service haproxy restart"
-    reload_strategy = "custom"
-  }
-}

haproxy/dataplaneapi.yml

@@ -1,8 +1,7 @@
 ---
 config_version: 2
 dataplaneapi:
-  tls:
-    host: 127.0.0.1
+  host: 0.0.0.0
   port: 2001
   resources:
     update_map_files: true
@@ -16,6 +15,7 @@ dataplaneapi:
     - admin:
       name: admin
       insecure: true
+      password: admin
 haproxy:
   config_file: /etc/haproxy/haproxy.cfg
   haproxy_bin: /usr/local/sbin/haproxy

haproxy/haproxy.cfg

@@ -69,7 +69,9 @@ frontend http-in
 	http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
 
 	# acl for blocked IPs/subnets
-	acl blocked_ip_or_subnet src,map_ip(/etc/haproxy/map/blocked.map) -m found
+	acl found_in_blocked_map src,map_ip(/etc/haproxy/map/blocked.map) -m found
+	acl blocked_ip_or_subnet var(txn.blocked_ip_or_subnet) -m bool
+	http-request lua.set-ip-var "blocked" "txn.blocked_ip_or_subnet" if found_in_blocked_map
 	http-request deny deny_status 403 if blocked_ip_or_subnet
 
 	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
@@ -78,7 +80,9 @@ frontend http-in
 	# http-request tarpit if { sc_http_req_rate(0) gt 1 }
 
 	# acl for lua check whitelisted IPs/subnets and some excluded paths
-	acl is_excluded src,map_ip(/etc/haproxy/map/whitelist.map) -m found
+	acl found_in_whitelist_map src,map_ip(/etc/haproxy/map/whitelist.map) -m found
+	acl is_excluded var(txn.whitelist_ip_or_subnet) -m bool
+	http-request lua.set-ip-var "whitelist" "txn.whitelist_ip_or_subnet" if found_in_whitelist_map
 	acl is_excluded src -f /etc/haproxy/map/crawler-whitelist.map
 	acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
 

haproxy/map/ddos.map

@@ -1,12 +0,0 @@
-127.0.0.1/0 {"m":0,"t":true}
-127.0.0.1/0f {"m":0,"t":false}
-127.0.0.1/0n {"m":0}
-127.0.0.1/1 {"m":1,"t":true}
-127.0.0.1/1f {"m":1,"t":false}
-127.0.0.1/1n {"m":1}
-127.0.0.1/2 {"m":2,"t":true}
-127.0.0.1/2f {"m":2,"t":false}
-127.0.0.1/2n {"m":2}
-127.0.0.1/captcha {"m":2}
-localhost {"m":1}
-localhost/captcha {"m":2}

haproxy/map/ddos_config.map

@@ -1,2 +0,0 @@
-127.0.0.1 {"pd":16,"pt":"sha256","cip":false,"cex":43200}
-localhost {"pd":16,"pt":"sha256","cip":false,"cex":43200}

haproxy/map/domtoacc.map

@@ -0,0 +1 @@
+localhost-test.com admin

haproxy/map/hosts.map

@@ -1,23 +1 @@
-127.0.0.1 127.0.0.1:82
-127.0.0.1 127.0.0.1:83
-127.0.0.1 127.0.0.1:84
-127.0.0.1 127.0.0.1:85
-127.0.0.1 127.0.0.1:86
-127.0.0.1 127.0.0.1:87
-127.0.0.1 127.0.0.1:88
-127.0.0.1 127.0.0.1:89
-127.0.0.1 127.0.0.1:821
-127.0.0.1 127.0.0.1:82
-127.0.0.1 127.0.0.1:83
-127.0.0.1 127.0.0.1:84
-127.0.0.1 127.0.0.1:85
-127.0.0.1 127.0.0.1:86
-127.0.0.1 127.0.0.1:87
-127.0.0.1 127.0.0.1:88
-127.0.0.1 127.0.0.1:89
-127.0.0.1 127.0.0.1:8212
-127.0.0.1 127.0.0.1:823
-127.0.0.1 127.0.0.1:834
-127.0.0.1 127.0.0.1:856
-localhost 127.0.0.1:81
 localhost-test 127.0.0.1:3000

src/lua/scripts/bot-check.lua

@@ -410,6 +410,38 @@ function _M.set_lang_json(txn)
 	txn:set_var("txn.lang_json", ls)
 end
 
+-- set a variable if ip or subnet in blocked/whitelist map and list of usernames matches the one for the current domain
+local blocked_map = Map.new("/etc/haproxy/map/blocked.map", Map._ip);
+local whitelist_map = Map.new("/etc/haproxy/map/whitelist.map", Map._ip);
+local accounts_map = Map.new("/etc/haproxy/map/domtoacc.map", Map._str);
+local maps_map = {
+	["blocked"] = blocked_map,
+	["whitelist"] = whitelist_map,
+}
+function _M.set_ip_var(txn, map_name, set_variable)
+	-- get the host header and user ip
+	local host = txn.sf:hdr("Host")
+	local ip = txn.sf:src()
+	if ip == nil or host == nil then
+		return
+	end
+	-- get the name of current domain user, and the list
+	-- of names that have blocked this ip (in case multiple)
+	local names_list = maps_map[map_name]:lookup(ip)
+	local current_name = accounts_map:lookup(string.lower(host))
+	if names_list == nil or current_name == nil then
+		return
+	end
+	-- loop through them and set the blocked var if found
+	local split_names = utils.split(names_list, ":")
+	for _, name in ipairs(split_names) do
+		if name == current_name then
+			txn:set_var(set_variable, true)
+			return
+		end
+	end
+end
+
 -- check if captcha is enabled, path+domain priority, then just domain, and 0 otherwise
 function _M.decide_checks_necessary(txn)
 	local host = txn.sf:hdr("Host")

src/lua/scripts/register-bot-check.lua

@@ -14,10 +14,10 @@ function get_server_names(txn)
 end
 
 core.register_fetches("get_server_names", get_server_names)
-
 core.register_service("bot-check", "http", bot_check.view)
 core.register_action("captcha-check", { 'http-req', }, bot_check.check_captcha_status)
 core.register_action("pow-check", { 'http-req', }, bot_check.check_pow_status)
 core.register_action("decide-checks-necessary", { 'http-req', }, bot_check.decide_checks_necessary)
 core.register_action("kill-tor-circuit", { 'http-req', }, bot_check.kill_tor_circuit)
 core.register_action("set-lang-json", { 'http-req', }, bot_check.set_lang_json)
+core.register_action("set-ip-var", { 'http-req', }, bot_check.set_ip_var, 2)