Add asn blocking

This commit is contained in:
Thomas Lynch
2023-09-09 21:39:45 +10:00
parent 93cac69798
commit e36add4ee7
9 changed files with 34 additions and 16 deletions

View File

@@ -57,9 +57,11 @@ frontend http-in
# optional geoip handling (maps required) and alt-svc header addition
# http-request set-var(req.xcc) src,map_ip(/etc/haproxy/map/geoip.map)
http-request set-var(req.asn) src,map_ip(/etc/haproxy/map/iptoasn.map)
# http-request set-var(txn.xcn) var(req.xcc),map(/etc/haproxy/map/cctocn.map)
# http-request set-header X-Country-Code %[var(req.xcc)]
# http-request set-header X-Continent-Code %[var(txn.xcn)]
http-request set-header X-ASN %[var(req.asn)]
# drop requests with invalid host header
acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
@@ -68,11 +70,14 @@ frontend http-in
# debug information at /.basedflare/cgi/trace
http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
# acl for blocked IPs/subnets
acl found_in_blocked_map src,map_ip(/etc/haproxy/map/blocked.map) -m found
acl blocked_ip_or_subnet var(txn.blocked_ip_or_subnet) -m bool
http-request lua.set-ip-var "blocked" "txn.blocked_ip_or_subnet" if found_in_blocked_map
http-request deny deny_status 403 if blocked_ip_or_subnet
# acl for blocked IPs/subnets/ASN
http-request lua.set-lang-json
acl found_in_blockedip_map src,map_ip(/etc/haproxy/map/blockedip.map) -m found
acl found_in_blockedasn_map var(req.asn),map(/etc/haproxy/map/blockedasn.map) -m found
acl blocked_ip_or_subnet_or_asn var(txn.blocked_ip_or_subnet_or_asn) -m bool
http-request lua.set-ip-var blockedip txn.blocked_ip_or_subnet_or_asn ip if found_in_blockedip_map
http-request lua.set-ip-var blockedasn txn.blocked_ip_or_subnet_or_asn asn if found_in_blockedasn_map
http-request deny deny_status 403 if blocked_ip_or_subnet_or_asn
# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }
@@ -82,7 +87,7 @@ frontend http-in
# acl for lua check whitelisted IPs/subnets and some excluded paths
acl found_in_whitelist_map src,map_ip(/etc/haproxy/map/whitelist.map) -m found
acl is_excluded var(txn.whitelist_ip_or_subnet) -m bool
http-request lua.set-ip-var "whitelist" "txn.whitelist_ip_or_subnet" if found_in_whitelist_map
http-request lua.set-ip-var whitelist txn.whitelist_ip_or_subnet ip if found_in_whitelist_map
acl is_excluded src -f /etc/haproxy/map/crawler-whitelist.map
acl is_excluded path /favicon.ico /.basedflare/pow-icon #add more
@@ -99,7 +104,7 @@ frontend http-in
# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
http-request lua.set-lang-json
#http-request lua.set-lang-json
http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode
# rewrite specific domain+path to domain or domain+path