mirror of
https://gitgud.io/fatchan/haproxy-protection.git
synced 2025-05-09 02:05:37 +00:00
Add asn blocking
This commit is contained in:
@@ -57,9 +57,11 @@ frontend http-in
|
||||
|
||||
# optional geoip handling (maps required) and alt-svc header addition
|
||||
# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
|
||||
http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
|
||||
# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
|
||||
# http-request set-header X-Country-Code %[var(req.xcc)]
|
||||
# http-request set-header X-Continent-Code %[var(txn.xcn)]
|
||||
http-request set-header X-ASN %[var(req.asn)]
|
||||
|
||||
# drop requests with invalid host header
|
||||
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
|
||||
@@ -68,11 +70,14 @@ frontend http-in
|
||||
# debug information at /.basedflare/cgi/trace
|
||||
http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
|
||||
|
||||
# acl for blocked IPs/subnets
|
||||
acl found_in_blocked_map src,map_ip(/etc/haproxy/map/blocked.map) -m found
|
||||
acl blocked_ip_or_subnet var(txn.blocked_ip_or_subnet) -m bool
|
||||
http-request lua.set-ip-var "blocked" "txn.blocked_ip_or_subnet" if found_in_blocked_map
|
||||
http-request deny deny_status 403 if blocked_ip_or_subnet
|
||||
# acl for blocked IPs/subnets/ASN
|
||||
http-request lua.set-lang-json
|
||||
acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found
|
||||
acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found
|
||||
acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool
|
||||
http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map
|
||||
http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map
|
||||
http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn
|
||||
|
||||
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
|
||||
http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }
|
||||
@@ -82,7 +87,7 @@ frontend http-in
|
||||
# acl for lua check whitelisted IPs/subnets and some excluded paths
|
||||
acl found_in_whitelist_map src,map_ip(/etc/haproxy/map/whitelist.map) -m found
|
||||
acl is_excluded var(txn.whitelist_ip_or_subnet) -m bool
|
||||
http-request lua.set-ip-var "whitelist" "txn.whitelist_ip_or_subnet" if found_in_whitelist_map
|
||||
http-request lua.set-ip-var whitelist txn.whitelist_ip_or_subnet ip if found_in_whitelist_map
|
||||
acl is_excluded src -f /etc/haproxy/map/crawler-whitelist.map
|
||||
acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
|
||||
|
||||
@@ -99,7 +104,7 @@ frontend http-in
|
||||
|
||||
# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
|
||||
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
|
||||
http-request lua.set-lang-json
|
||||
#http-request lua.set-lang-json
|
||||
http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode
|
||||
|
||||
# rewrite specific domain+path to domain or domain+path
|
||||
|
Reference in New Issue
Block a user