Add asn blocking

haproxy/haproxy.cfg

@@ -57,9 +57,11 @@ frontend http-in
 
 	# optional geoip handling (maps required) and alt-svc header addition
 	# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
+	http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
 	# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
 	# http-request set-header X-Country-Code %[var(req.xcc)]
 	# http-request set-header X-Continent-Code %[var(txn.xcn)]
+	http-request set-header X-ASN %[var(req.asn)]
 
 	# drop requests with invalid host header
 	acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
@@ -68,11 +70,14 @@ frontend http-in
 	# debug information at /.basedflare/cgi/trace
 	http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
 
-	# acl for blocked IPs/subnets
-	acl found_in_blocked_map src,map_ip(/etc/haproxy/map/blocked.map) -m found
-	acl blocked_ip_or_subnet var(txn.blocked_ip_or_subnet) -m bool
-	http-request lua.set-ip-var "blocked" "txn.blocked_ip_or_subnet" if found_in_blocked_map
-	http-request deny deny_status 403 if blocked_ip_or_subnet
+	# acl for blocked IPs/subnets/ASN
+	http-request lua.set-lang-json
+	acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found
+	acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found
+	acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool
+	http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map
+	http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map
+	http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn
 
 	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
 	http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }
@@ -82,7 +87,7 @@ frontend http-in
 	# acl for lua check whitelisted IPs/subnets and some excluded paths
 	acl found_in_whitelist_map src,map_ip(/etc/haproxy/map/whitelist.map) -m found
 	acl is_excluded var(txn.whitelist_ip_or_subnet) -m bool
-	http-request lua.set-ip-var "whitelist" "txn.whitelist_ip_or_subnet" if found_in_whitelist_map
+	http-request lua.set-ip-var whitelist txn.whitelist_ip_or_subnet ip if found_in_whitelist_map
 	acl is_excluded src -f /etc/haproxy/map/crawler-whitelist.map
 	acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
 
@@ -99,7 +104,7 @@ frontend http-in
 
 	# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
 	acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
-	http-request lua.set-lang-json
+	#http-request lua.set-lang-json
 	http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode
 
 	# rewrite specific domain+path to domain or domain+path