Testing new ACLs for query string

docker-compose.yml

@@ -48,6 +48,7 @@ services:
   nginx:
     ports:
       - 81:80
+      - 82:80
     image: "nginx:latest"
     volumes:
       - ./nginx:/usr/share/nginx/html

haproxy/haproxy.cfg

@@ -69,13 +69,14 @@ frontend http-in
 
 	# drop requests with invalid host header
 	acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found
+	acl has_query query -m found
+	acl on_bot_check path /.basedflare/bot-check
 	http-request silent-drop unless is_existing_vhost
 
 	# debug information at /.basedflare/cgi/trace
 	http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace }
 
-	http-request track-sc0 query table count_qs_throttle if { query -m found }
-	http-request redirect location http://%[hdr(host)]/%[table_cnt(count_qs_throttle)] code 302 if TRUE
+	http-request track-sc1 query table count_qs_throttle if has_query !on_bot_check
 
 	# acl for blocked IPs/subnets/ASN/country
 	http-request lua.set-lang-json
@@ -91,7 +92,7 @@ frontend http-in
 	http-request deny deny_status 403 if blocked_bool
 
 	# ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this.
-	# http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST }
+	http-request track-sc0 src table bot_check_post_throttle if on_bot_check { method POST }
 	# http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 }
 	# http-request tarpit if { sc_http_req_rate(0) gt 1 }
 
@@ -106,6 +107,8 @@ frontend http-in
 	acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found
 	acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m found
 	acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m found
+	acl large_unique_query_count table_cnt(count_qs_throttle) -m int gt 1000
+	acl ddos_mode_enabled_override acl(large_unique_query_count,has_query,!on_bot_check)
 
 	# serve challenge page scripts directly from haproxy
 	http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/auto.min.js }
@@ -113,11 +116,6 @@ frontend http-in
 	http-request return file /etc/haproxy/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/challenge.min.js }
 	http-request return file /etc/haproxy/js/worker.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/worker.min.js }
 
-	# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
-	acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
-	#http-request lua.set-lang-json
-	http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode
-
 	# rewrite specific domain+path to domain or domain+path
 	http-request redirect location https://%[base,map(/etc/haproxy/map/rewrite.map)] code 302 if { base,map(/etc/haproxy/map/rewrite.map) -i -m found }
 
@@ -131,7 +129,6 @@ frontend http-in
 	acl validate_pow var(txn.validate_pow) -m bool
 
 	# check pow/captcha and show page if necessary
-	acl on_bot_check path /.basedflare/bot-check
 	http-request use-service lua.bot-check if on_bot_check !is_excluded
 
 	# challenge decisions, checking, and redirecting to /bot-check
@@ -140,6 +137,11 @@ frontend http-in
 	http-request lua.pow-check					if !is_excluded !on_bot_check validate_pow OR !is_excluded !on_bot_check ddos_mode_enabled_override
 	http-request redirect location /.basedflare/bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_bot_check ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_bot_check ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_bot_check !is_excluded
 
+	# acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo)
+	acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found
+	#http-request lua.set-lang-json
+	#http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode
+
 	# X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use)
 	http-response set-header X-Cache-Status HIT if !{ srv_id -m found }
 	http-response set-header X-Cache-Status MISS if { srv_id -m found }

haproxy/map/hosts.map

@@ -1 +1,2 @@
 localhost.com 127.0.0.1:81
+localhost 127.0.0.1:82