__pycache__/haproxy_manager.cpython-310.pyc

o
+<2B><>h<08><00>
@sJddlZddlZddlmZmZmZmZmZddlm	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlmZddlZddlZddlZee<14>ZdZe	d<06>ZdZdZd	Zd
ZdZdZej<1E>d
<0A>Z ej!ej"de<0F>#d<0F>e<0F>$<24>gd<10>e<0F>%e<14>Z&dd<12>Z'dxdd<15>Z(dd<17>Z)dd<19>Z*dd<1B>Z+dd<1D>Z,e<0B>-e<17>Z.ej/e.d<1E>Z0ej1dd gd!<21>e'd"d#<23><00><01>Z2ej1d$d gd!<21>d%d&<26><00>Z3ej1d'd gd!<21>e'd(d)<29><00><01>Z4ej1d*d gd!<21>e'd+d,<2C><00><01>Z5ej1d-d.gd!<21>e'd/d0<64><00><01>Z6e<15>1d1<64>d2d3<64><00>Z7e<15>1d4<64>d5d6<64><00>Z8ej1d7d.gd!<21>e'd8d9<64><00><01>Z9ej1d:d.gd!<21>e'd;d<<3C><00><01>Z:ej1d=d gd!<21>e'd>d?<3F><00><01>Z;ej1d@d gd!<21>e'dAdB<64><00><01>Z<ej1dCd gd!<21>e'dDdE<64><00><01>Z=ej1dFd gd!<21>e'dGdH<64><00><01>Z>ej1dId.gd!<21>e'dJdK<64><00><01>Z?ej1d-dLgd!<21>e'dMdN<64><00><01>Z@ej1dOd gd!<21>e'dPdQ<64><00><01>ZAej1dOd.gd!<21>e'dRdS<64><00><01>ZBej1dOdLgd!<21>e'dTdU<64><00><01>ZCej1dVd.gd!<21>e'dWdX<64><00><01>ZDej1dYd.gd!<21>e'dZd[<5B><00><01>ZEd\d]<5D>ZFd^d_<64>ZGd`da<64>ZHdbdc<64>ZIddde<64>ZJdfdg<64>ZKdhdi<64>ZLdjdk<64>ZMdldm<64>ZNednk<02>r#e)<29>e*<2A>e+e<1D>z
eF<EFBFBD>e&<26>Odo<64>WneP<65>y<>ZQze&<26>RdpeQ<65><00><02>WYdZQ[QndZQ[QwweN<65>e*<2A>ddqlSmTZTdrds<64>ZUeTeUddt<64>ZVeV<65>W<EFBFBD>ejXdudvdw<64>dSdS)y<>N)<05>Flask<73>request<73>jsonify<66>render_template<74>	send_file)<01>Path<74><01>datetimez/etc/haproxy/haproxy_config.db<64>	templates<65>/etc/haproxy/haproxy.cfgz/etc/haproxy/haproxy.cfg.backupz/etc/haproxy/blocked_ips.mapz#/etc/haproxy/blocked_ips.map.backupz/var/run/haproxy.sockz/etc/haproxy/certs<74>HAPROXY_API_KEYz4%(asctime)s - %(name)s - %(levelname)s - %(message)sz/var/log/haproxy-manager.log)<03>level<65>format<61>handlerscst<00><01><00><01>fdd<02><08>}|S)z=Decorator to require API key authentication if API_KEY is setcs@trtj<02>d<01>}|r|dt<00><00>krtddi<01>dfS<00>|i|<01><01>S)N<>
AuthorizationzBearer <20>errorz)Unauthorized - Invalid or missing API keyi<79>)<05>API_KEYr<00>headers<72>getr)<03>args<67>kwargs<67>auth_header<65><01>f<><00>haproxy_manager.py<70>decorated_function*s
z+require_api_key.<locals>.decorated_function)<02>	functools<6C>wraps)rrrrr<00>require_api_key(srTcCs<>t<00><01><00><02>|||d<01>}|rt<03>d|<00>d<03><03>|St<03>d|<00>d|<02><00><04>tdd<06><02>}|<04>t<08>	|<03>d<00>Wd<00>|S1s>wY|S)	z*Log operations for monitoring and alerting)<04>	timestamp<6D>	operation<6F>successrz
Operation z completed successfullyz	 failed: z#/var/log/haproxy-manager-errors.log<6F>a<>
N)
r	<00>now<6F>	isoformat<61>logger<65>infor<00>open<65>write<74>json<6F>dumps)r!r"<00>
error_message<67>	log_entryrrrr<00>
log_operation3s
<06><16>
<EFBFBD><10>r/cCsht<00>t<02><01>%}|<00><03>}|<01>d<01>|<01>d<02>|<01>d<03>|<01>d<04>|<00><05>Wd<00>dS1s-wYdS)Na
            CREATE TABLE IF NOT EXISTS domains (
                id INTEGER PRIMARY KEY,
                domain TEXT UNIQUE NOT NULL,
                ssl_enabled BOOLEAN DEFAULT 0,
                ssl_cert_path TEXT,
                template_override TEXT
            )
        a
            CREATE TABLE IF NOT EXISTS backends (
                id INTEGER PRIMARY KEY,
                name TEXT UNIQUE NOT NULL,
                domain_id INTEGER,
                settings TEXT,
                FOREIGN KEY (domain_id) REFERENCES domains (id)
            )
        a<>
            CREATE TABLE IF NOT EXISTS backend_servers (
                id INTEGER PRIMARY KEY,
                backend_id INTEGER,
                server_name TEXT NOT NULL,
                server_address TEXT NOT NULL,
                server_port INTEGER NOT NULL,
                server_options TEXT,
                FOREIGN KEY (backend_id) REFERENCES backends (id)
            )
        a"
            CREATE TABLE IF NOT EXISTS blocked_ips (
                id INTEGER PRIMARY KEY,
                ip_address TEXT UNIQUE NOT NULL,
                reason TEXT,
                blocked_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
                blocked_by TEXT
            )
        )<06>sqlite3<65>connect<63>DB_FILE<4C>cursor<6F>execute<74>commit)<02>connr3rrr<00>init_dbGs


	"<22>r7cCs2tjddgdd<04>}|jdkrt<00>gd<06><01>dSdS)zVRegister with Let's Encrypt using the certbot client and agree to the terms of service<63>certbot<6F>show_accountT)<01>capture_outputr)r8<00>registerz--agree-tosz!--register-unsafely-without-emailz--no-eff-emailN)<03>
subprocess<EFBFBD>run<75>
returncode)<01>resultrrr<00>certbot_registerzs
<04>r@cCstj<01>|d<01>}t|<01>tj<01>|<01>rtd<02>dSzt<00>|<00>Wn	ty'Ynwt<07><08>}t	j
dddddd	d
ddd
dddd|<02><00>gdd<12>t|d<13><02>.}dD]#}t|d<15><02>}|<03>|<05>
<0A><00>Wd<00>n1sewYt<00>|<04>qLWd<00>n1szwYt<0F>dS)z0Generate a self-signed certificate for a domain.zdefault_self_signed_cert.pemzSelf Signed Cert FoundT<64>openssl<73>reqz-x509z-newkeyzrsa:4096z-keyout<75>/tmp/key.pemz-out<75>
/tmp/cert.pemz-days<79>3650z-nodesz-subjz/CN=)<01>check<63>wb)rDrC<00>rbN)<10>os<6F>path<74>join<69>print<6E>exists<74>mkdir<69>FileExistsError<6F>socket<65>gethostnamer<r=r)r*<00>read<61>remove<76>generate_config)<06>
ssl_certs_dir<69>self_sign_cert<72>DOMAIN<49>combined<65>filerrrr<00>generate_self_signed_cert<72>s><02>

<02><06>
<1C><02><1C>rZcCs*t<00>dg<01>D]}|jd|krdSqdS)N<>nameTF)<03>psutil<69>process_iterr()<02>process_name<6D>processrrr<00>is_process_running<6E>s
<02>r`)<01>loaderz/api/domains<6E>GET)<01>methodsc
Cs<>z5t<00>t<02><01>}tj|_|<00><05>}|<01>d<01>Wd<00>n1swYdd<03>|<01><07>D<00>}tdd<05>t	|<02>WSt
yZ}ztddt|<03><01>t	dt|<03>d<08><02>d	fWYd}~Sd}~ww)
Nz<EFBFBD>
            SELECT d.*, b.name as backend_name
            FROM domains d
            LEFT JOIN backends b ON d.id = b.domain_id
        cS<00>g|]}t|<01><01>qSr<00><01>dict<63><02>.0<EFBFBD>rowrrr<00>
<listcomp><3E><00>zget_domains.<locals>.<listcomp><3E>get_domainsTFr<00><02>status<75>message<67><65><00>r0r1r2<00>Row<6F>row_factoryr3r4<00>fetchallr/r<00>	Exception<6F>str)r6r3<00>domains<6E>errrrl<00>s<1C>

"<08><02>rlz/healthc
Cs<>z5td<01>}t<01>t<03><01>}|<01><04>}|<02>d<02>|<02><06>Wd<00>n1s"wYtd|r-dnddd<07><03>dfWStyR}ztd	t	|<03>d
<EFBFBD><02>dfWYd}~Sd}~ww)N<>haproxyzSELECT 1<>healthy<68>running<6E>stopped<65>	connected)rn<00>haproxy_status<75>database<73><65><00>	unhealthy<68>rnrrp)
r`r0r1r2r3r4<00>fetchonerrurv)<04>haproxy_runningr6r3rxrrr<00>health_check<63>s.

<1C>
<06><06><06><10><08><02>r<EFBFBD>z/api/regeneratec
Csnzt<00>tdd<02>tddi<01>dfWSty6}ztddt|<00><01>tdt|<00>d<08><02>d	fWYd}~Sd}~ww)
N<EFBFBD>regenerate_configTrnr"r<>F<>failedr<64>rp<00>rTr/rrurv<00>rxrrr<00>regenerate_conf<6E>s
<06><10><08><02>r<EFBFBD>z/api/reloadc
CsBzptd<01>r-tjdddddd<04>}td|j<04>d|j<05>d|j<06><00><06>tdd<03>tdd	i<01>d
fWStjdddd
dt	gdddd<0F>}|jdkrStd<11>tdd<03>tdd	i<01>d
fWSd|j<04>d|j<05><00>}t|<01>tdd|<01>td|d<17><02>dfWStj
y<EFBFBD>}z#d|j<04>d|j<05><00>}t|<01>tdd|<01>td|d<17><02>dfWYd}~Sd}~ww)Nry<00>,echo "reload" | socat stdio /tmp/haproxy-cliT)rFr:<00>text<78>shellzReload result: z, <20>reload_haproxyrnr"r<><00>-W<>-S<>/tmp/haproxy-cli,level,admin<69>-f<>rFr:r<>r<00>HAProxy started successfully<6C>
start_haproxy<78> HAProxy start command returned: <20>
Error output: Fr<46>r<>rp<00>Failed to start HAProxy: r$)r`r<r=rL<00>stdout<75>stderrr>r/r<00>HAPROXY_CONFIG_PATH<54>CalledProcessError<6F>r?<00>	error_msgrxrrrr<><00>s:<06> 
<06>

<08><02>r<EFBFBD>z/api/domain<69>POSTcCsnt<00><01>}|<00>d<01>}|<00>d<02>}|<00>d<03>}|<00>dg<00>}|r|s,tddd<07>tddd	<09><02>d
fSzet<05>t<07><01>;}|<05><08>}|<06>	d||f<02>|j
}|<06>	d||f<02>|j
}|D]}	|<06>	d
||	d|	d|	d|	<09>d<11>f<05>qOWd<00>n1spwY|<06><0B>|<05><0B>t<0C>tddd|<01>d<14><03>td|d<16><02>WSt
y<>}
ztddt|
<EFBFBD><01>tdt|
<EFBFBD>d	<09><02>dfWYd}
~
Sd}
~
ww)N<>domain<69>template_override<64>backend_name<6D>servers<72>
add_domainFz$Domain and backend_name are requiredrrm<00><>z=INSERT INTO domains (domain, template_override) VALUES (?, ?)z4INSERT INTO backends (name, domain_id) VALUES (?, ?)z<>
                    INSERT INTO backend_servers
                    (backend_id, server_name, server_address, server_port, server_options)
                    VALUES (?, ?, ?, ?, ?)
                r[<00>address<73>port<72>optionsT<73>Domain z added successfullyr")rn<00>	domain_idrp)r<00>get_jsonrr/rr0r1r2r3r4<00>	lastrowid<69>closerTrurv)<0B>datar<61>r<>r<>r<>r6r3r<><00>
backend_id<EFBFBD>serverrxrrrr<>sF


<04><02><06><02><1C>"<08><02>r<EFBFBD><00>/cCstd<01>S)Nz
index.html<6D>rrrrr<00>index.sr<>z
/default-pagecCs<tj<01>dd<02>}tdtj<01>dd<05>tj<01>dd<07>tj<01>dd	<09>d
<EFBFBD>S<00>z,Serve the default page for unmatched domains<6E>HAPROXY_ADMIN_EMAILzadmin@example.comzdefault_page.html<6D>HAPROXY_DEFAULT_PAGE_TITLEzSite Not Configured<65>HAPROXY_DEFAULT_MAIN_MESSAGEziThis domain has not been configured yet. Please contact your system administrator to set up this website.<2E>!HAPROXY_DEFAULT_SECONDARY_MESSAGEzLIf you believe this is an error, please check the domain name and try again.)<03>
page_title<EFBFBD>main_message<67>secondary_message)rI<00>environrr<00><01>admin_emailrrr<00>default_page2<00><06>r<EFBFBD>z/api/sslc
Cs<>t<00><01>}|<00>d<01>}|stddd<04>tddd<07><02>dfSz<>tjd	d
ddd
ddd|g	ddd<12>}|jdkr<>d|<01>d<15>}d|<01>d<16>}t<08>d|<01>d<18>}t	j
tdd<19>t|d<1A><02>}tjd||g|d<1C>Wd<00>n1sfwYt<0C>
t<0E><01>}|<07><0F>}|<08>d||f<02>Wd<00>n1s<>wY|<08><11>|<07><11>t<12>tddd|<01><00><02>td ||d!d"<22><04>WSd#|j<13><00>}	tdd|	<09>td|	d<07><02>d$fWSty<>}
ztddt|
<EFBFBD><01>tdt|
<EFBFBD>d<07><02>d$fWYd}
~
Sd}
~
ww)%zBLegacy endpoint for requesting SSL certificate for a single domainr<6E><00>request_sslFzDomain not providedr<00>Domain is requiredrmr<>r8<00>certonly<6C>-n<>--standalone<6E>--preferred-challenges<65>http<74>--http-01-port=8688<38>-dT<64>r:r<>r<00>/etc/letsencrypt/live/<2F>/fullchain.pem<65>/privkey.pemr<6D><00>.pem<65><01>exist_ok<6F>w<>cat<61>r<>Nz<4E>
                    UPDATE domains
                    SET ssl_enabled = 1, ssl_cert_path = ?
                    WHERE domain = ?
                zSSL certificate obtained for r"<00>!Certificate obtained successfully)rnr<><00>	cert_pathroz"Failed to obtain SSL certificate: rp)rr<>rr/rr<r=r><00>
SSL_CERTS_DIRrI<00>makedirsr)r0r1r2r3r4r<>rTr<>rurv)r<>r<>r?r<><00>key_path<74>
combined_pathrXr6r3r<>rxrrrr<>=sZ
<02><06>
<1C><06><1C>
<EFBFBD>"<08><02>r<EFBFBD>z/api/certificates/renewc
Csz<>tjgd<01>ddd<03>}|jdkr<>d|jvsd|jvr<>t<04>t<06><01>[}|<01><07>}|<02>d<07>|<02>	<09>}|D]C\}}|rrt
j<0B>|<05>rrd|<04>d	<09>}d|<04>d
<EFBFBD>}t
j<0B>|<06>rrt
j<0B>|<07>rrt
|d<0B><02>}tjd||g|d
<0A>Wd<00>n1smwYq/Wd<00>n1s}wYt<0E>tjddddd<10>}	|	jdkr<>tddd<12>tddd<14><02>WSd|	j<11><00>}
tdd|
<EFBFBD>td|
d<14><02>dfWStddd<19>tddd<14><02>WSd|j<11><00>}
tdd|
<EFBFBD>td|
d<14><02>dfWSty<>}ztddt|<0B><01>tdt|<0B>d<14><02>dfWYd}~Sd}~ww)z)Renew all certificates and reload HAProxy)r8<00>renewz--quietTr<54>r<00>Congratulations<6E>renewedz?SELECT domain, ssl_cert_path FROM domains WHERE ssl_enabled = 1r<31>r<>r<>r<>r<>r<>Nr<4E><00>r:r<>r<><00>renew_certificatesz)Certificates renewed and HAProxy reloadedr"rmz0Certificates renewed but HAProxy reload failed: F<>partial_successrpzNo certificates needed renewalzCertificate renewal failed: r)r<r=r>r<>r0r1r2r3r4rtrIrJrMr)rTr/rr<>rurv)r?r6r3rwr<>r<><00>letsencrypt_cert<72>letsencrypt_keyrX<00>
reload_resultr<74>rxrrrr<>wsR
<06>

<1C><02><02><1C><06>
"<08><02>r<EFBFBD>z#/api/certificates/<domain>/downloadc
Cs&zmt<00>t<02><01>]}|<01><03>}|<02>d|f<01>|<02><05>}|r|ds-tddd<05><02>dfWd<00>WS|d}tj<08>	|<04>sHtddd<05><02>dfWd<00>WSt
d	d
d|<00><00><02>t|d
|<00>d<0C>d
<0A>Wd<00>WS1sfwYWdSty<>}zt
d	dt
|<05><01>tdt
|<05>d<05><02>dfWYd}~Sd}~ww)z3Download the combined certificate file for a domainzFSELECT ssl_cert_path FROM domains WHERE domain = ? AND ssl_enabled = 1rr<00> Certificate not found for domainrm<00><>NzCertificate file not found<6E>download_certificateTzCertificate downloaded for r<><00><02>
as_attachment<6E>
download_nameFrp)r0r1r2r3r4r<>rrIrJrMr/rrurv)r<>r6r3r?r<>rxrrrr<><00>s(<12><12>(<28>"<08><02>r<EFBFBD>z/api/certificates/<domain>/keyc
C<00><>z*d|<00>d<02>}tj<01>|<01>stddd<05><02>dfWStddd	|<00><00><02>t|d|<00>d
<EFBFBD>d<0B>WStyO}ztddt|<02><01>tdt|<02>d<05><02>d
fWYd}~Sd}~ww)z%Download the private key for a domainr<6E>r<>rz Private key not found for domainrmr<><00>download_private_keyTzPrivate key downloaded for z_key.pemr<6D>FrpN<>rIrJrMrr/rrurv)r<>r<>rxrrrr<><00><00>"<08><02>r<EFBFBD>z/api/certificates/<domain>/certc
Cr<>)z@Download only the certificate (without private key) for a domainr<6E>r<>rr<>rmr<><00>download_cert_onlyTz"Certificate (only) downloaded for z	_cert.pemr<6D>FrpNr<4E>)r<>r<>rxrrrr<><00>r<>r<>z/api/certificates/statuscCs<>z<>t<00>t<02><01><>}|<00><03>}|<01>d<01>|<01><05>}g}|D]\}}}|t|<05>|ddd<03>}|r<>tj<08>	|<06>r<>zJt
jddd|ddgd	d	d
<EFBFBD>}|jdkrx|j
<0A>d<0C>D].}	d
|	vrw|	<09>d<0E>d<00><0F>}
ddlm}|<0B>|
d<11>}|<0C><12>|d<||<0B><13>j}
|
|d<nqIWnty<>}zt|<0E>|d<WYd}~nd}~ww|<03>|<07>qtdd	<09>td|i<01>Wd<00>WS1s<>wYWdSty<>}ztddt|<0E><01>tdt|<0E>d<18><02>dfWYd}~Sd}~ww)z9Get status of all certificates including expiration dateszLSELECT domain, ssl_enabled, ssl_cert_path FROM domains WHERE ssl_enabled = 1N)r<><00>ssl_enabledr<64><00>expires<65>days_until_expiryrA<00>x509z-inz-nooutz-datesTr<54>rr$z	notAfter=<3D>=<3D>rz%b %d %H:%M:%S %Y %Zr<5A>r<>r<00>get_certificate_status<75>certificatesFrmrp)r0r1r2r3r4rt<00>boolrIrJrMr<r=r>r<><00>split<69>stripr	<00>strptimer&r%<00>daysrurv<00>appendr/r)r6r3rw<00>cert_statusr<73>r<>r<>rnr?<00>line<6E>expiry_date_strr	<00>expiry_date<74>
days_untilrxrrrr<><00>sZ
<06><02><06>
<02><04>
<08><02>

(<28>*"<08><02>r<EFBFBD>z/api/certificates/requestcCs&t<00><01>}|<00>dg<00>}|<00>dd<03>}|<00>dd<05>}|s'tddd<07>tdd	d
<EFBFBD><02>dfSt|t<06>s/|g}g}d}d}|D]<5D>}z<>|g}|rL|<07>d
<0A>sL|<08>d
|<07><00><02>gd<0E>}	|rW|	<09>d<0F>|D]	}
|	<09>	d|
g<02>qYt
j|	ddd<11>}|jdkr<>d|<07>d<13>}d|<07>d<14>}
t
<0A>d|<07>d<16>}tjt
dd<17>t|d<18><02>}t
jd||
g|d<1A>Wd<00>n1s<>wYt<11>t<13><01>*}|<10><14>}|<11>d|f<01>|<11><16>}|r<>|<11>d||f<02>n|<11>d||f<02>Wd<00>n1s<>wY|<04>|dd ||d!<21><05>|d"7}nd#|<07>d$|j<17><00>}|<04>|d||jd%<25><04>|d"7}Wq7t<18>y4}zd&|<07>d$t|<14><01><00>}|<04>|d|d'<27><03>|d"7}WYd}~q7d}~ww|dk<04>rkzt<1A>tddd(|<05>d)|<06>d*<2A><05>Wnt<18>yj}ztddd+t|<14><01><00><02>WYd}~nd}~wwd,t|<01>||d-<2D>|d.<2E>}|dk<02>r<>t|<15>d/fS|dk<04>r<>t|<15>d0fSt|<15>d1fS)2z6Request certificate generation for one or more domainsrw<00>
force_renewalF<6C>include_wwwT<77>request_certificateszNo domains providedrzAt least one domain is requiredrmr<>rzwww.)r8r<>r<>r<>r<>r<>r<>z--force-renewalr<6C>r<>r<>r<>r<>r<>r<>r<>r<>r<>r<>N<>'SELECT id FROM domains WHERE domain = ?z<>
                            UPDATE domains
                            SET ssl_enabled = 1, ssl_cert_path = ?
                            WHERE domain = ?
                        z<>
                            INSERT INTO domains (domain, ssl_enabled, ssl_cert_path)
                            VALUES (?, 1, ?)
                        r"r<>)r<>rnror<><00>domains_coveredr<64>z!Failed to obtain certificate for <20>: )r<>rnror<>zException while processing )r<>rnrozSuccessfully obtained z certificates, z failedz4Certificates obtained but config generation failed: <20>	completed)<03>total<61>
successfulr<EFBFBD>)rn<00>summary<72>resultsr<73><00><>rp)rr<>rr/r<00>
isinstance<EFBFBD>list<73>
startswithr<EFBFBD><00>extendr<r=r>r<>rIr<>r)r0r1r2r3r4r<>r<>rurvrT<00>len)r<>rwrrr<00>
success_count<6E>error_countr<74><00>certbot_domains<6E>cmd<6D>dr?r<>r<>r<>rXr6r3<00>
domain_existsr<73>rx<00>responserrrrs<>


<1C><06><04><02><1C><08>
<08><04><08><08><02>

"<08><02><04><06>


r<00>DELETEc

Cs<>t<00><01>}|<00>d<01>}|stddd<04>tddd<06><02>dfSz<>t<05>t<07><01><>}|<02><08>}|<03>	d|f<01>|<03>
<EFBFBD>}|sMtddd	|<01>d
<EFBFBD><03>tddd<06><02>dfWd<00>WS|d
}|<03>	d|f<01>dd<10>|<03><0B>D<00>}|D]	}|<03>	d|f<01>qc|<03>	d|f<01>|<03>	d|f<01>|<03>	d|f<01>|<03>
<EFBFBD>}|r<>|d
r<>z	t<0C>
|d
<00>Wn	ty<>YnwWd<00>n1s<>wYt<0F>tddd	|<01>d<16><03>tddd<06><02>WSty<>}	ztddt|	<09><01>tdt|	<09>d<06><02>dfWYd}	~	Sd}	~	ww)Nr<4E><00>
remove_domainFr<46>rrmr<>rr<>z
 not foundzDomain not foundr<64>rz+SELECT id FROM backends WHERE domain_id = ?cS<00>g|]}|d<00>qS<00>rrrgrrrrj<00>rkz!remove_domain.<locals>.<listcomp>z0DELETE FROM backend_servers WHERE backend_id = ?z(DELETE FROM backends WHERE domain_id = ?z DELETE FROM domains WHERE id = ?zBSELECT ssl_cert_path FROM domains WHERE id = ? AND ssl_enabled = 1Tz removed successfullyr"zDomain configuration removedrp)rr<>rr/rr0r1r2r3r4r<>rtrIrS<00>OSErrorrTrurv)
r<EFBFBD>r<>r6r3<00>
domain_resultr<74><00>backend_idsr<73><00>cert_resultrxrrrr<00>sN
<12><02><02><1C>%"<08><02>rz/api/blocked-ipsc
Cs<>z8t<00>t<02><01>(}tj|_|<00><05>}|<01>d<01>dd<03>|<01><07>D<00>}tdd<05>t	|<02>Wd<00>WS1s1wYWdSt
y]}ztddt|<03><01>t	dt|<03>d	<09><02>d
fWYd}~Sd}~ww)zGet all blocked IP addressesz2SELECT * FROM blocked_ips ORDER BY blocked_at DESCcSrdrrergrrrrj<00>rkz#get_blocked_ips.<locals>.<listcomp><3E>get_blocked_ipsTNFrrmrprq)r6r3<00>blocked_ipsrxrrrr!<00>s

(<28>"<08><02>r!c

Cst<00><01>}|<00>d<01>}|<00>dd<03>}|<00>dd<05>}|s&tddd<08>td	dd
<EFBFBD><02>dfSz<>t<05>t<07><01>}|<04><08>}|<05>	d|||f<03>|j
}Wd
<00>n1sGwYt<0B>sbtddd|<01><00><02>td	dd
<EFBFBD><02>dfWSt|<01>z.t
d<11>r<>tj<0F>t<11>rtt}nd}tjd|<07><00>dddd<15>}|jdkr<>t<15>d|<01>d|j<17><00><04>Wnty<>}	zt<15>d|<01>d|	<09><00><04>WYd
}	~	nd
}	~	wwtddd|<01>d<1B><03>td|d|<01>d<1D>d<1E><03>WStjy<>tddd|<01>d<1F><03>td	d d
<EFBFBD><02>d!fYSt<18>y
}	ztddt|	<09><01>td	t|	<09>d
<EFBFBD><02>dfWYd
}	~	Sd
}	~	ww)"z%Add an IP address to the blocked list<73>
ip_address<EFBFBD>reasonzNo reason provided<65>
blocked_by<EFBFBD>API<50>add_blocked_ipF<70>IP address is requiredrrmr<>zIINSERT INTO blocked_ips (ip_address, reason, blocked_by) VALUES (?, ?, ?)N<>Failed to update map file for <20>%Failed to update blocked IPs map filerpry<00>/tmp/haproxy-cli<6C>echo "reload" | socat stdio Tr<54>rz(HAProxy reload failed after blocking IP rz*Error reloading HAProxy after blocking IP <20>IP z blocked successfullyr"z has been blocked)rn<00>
blocked_ip_idroz is already blockedzIP address is already blockedi<64>)rr<>rr/rr0r1r2r3r4r<><00>update_blocked_ips_map<61>add_ip_to_runtime_mapr`rIrJrM<00>HAPROXY_SOCKET_PATHr<r=r>r'<00>warningr<67>ru<00>IntegrityErrorrv)
r<EFBFBD>r#r$r%r6r3r.<00>socket_pathr<68>rxrrrr'<00>sX
<04><1C><06>
<04>"<08><02>"<08><02>r'c
Cs
t<00><01>}|<00>d<01>}|stddd<04>tddd<06><02>dfSz<>t<05>t<07><01>;}|<02><08>}|<03>	d|f<01>|<03>
<EFBFBD>}|sMtddd	|<01>d
<EFBFBD><03>tddd<06><02>dfWd
<00>WS|<03>	d|f<01>Wd
<00>n1s^wYt<0B>sytddd|<01><00><02>tddd<06><02>dfWSt|<01>z.t
d<12>r<>tj<0F>t<11>r<>t}nd}tjd|<05><00>dddd<16>}|jdkr<>t<15>d|<01>d|j<17><00><04>Wnty<>}zt<15>d|<01>d|<07><00><04>WYd
}~nd
}~wwtddd	|<01>d<1B><03>tdd	|<01>d<1D>d<06><02>WSt<18>y}ztddt|<07><01>tdt|<07>d<06><02>dfWYd
}~Sd
}~ww)z*Remove an IP address from the blocked listr#<00>remove_blocked_ipFr(rrmr<>z/SELECT id FROM blocked_ips WHERE ip_address = ?r-z not found in blocked listz$IP address not found in blocked listr<74>Nz,DELETE FROM blocked_ips WHERE ip_address = ?r)r*rpryr+r,Tr<54>rz*HAProxy reload failed after unblocking IP rz,Error reloading HAProxy after unblocking IP z unblocked successfullyr"z has been unblocked)rr<>rr/rr0r1r2r3r4r<>r/<00>remove_ip_from_runtime_mapr`rIrJrMr1r<r=r>r'r2r<>rurv)r<>r#r6r3<00>	ip_resultr4r<>rxrrrr5sT
<12>	<1C><06>
<04>"<08><02>"<08><02>r5z/api/config/reloadc
Csnzt<00>tddd<03>tddd<06><02>WSty6}ztddt|<00><01>tdt|<00>d<06><02>d	fWYd
}~Sd
}~ww)z@Safely reload HAProxy configuration with validation and rollback<63>reload_config_safelyTzConfiguration reloaded safelyr"z%HAProxy configuration reloaded safelyrmFrrpNr<4E>r<>rrrr8Gs"<08><02>r8z/api/blocked-ips/syncc
CsTz<>t<00>stddd<03><02>dfWSt<02>t<04><01>}|<00><05>}|<01>d<05>dd<07>|<01><07>D<00>}Wd<00>n1s0wYztj	<09>
t<0B>r?t}nd	}tj
d
|<03><00>ddd<0C>WnYd
}|D]
}t|<05>r`|d7}qVtddd|<04>dt|<02><01>d<12><05>tdd|<04>dt|<02><01>d<12>t|<02>|d<14><04>WSty<>}ztddt|<06><01>tdt|<06>d<03><02>dfWYd}~Sd}~ww)z-Sync blocked IPs from database to runtime maprzFailed to update map filermrp<00>6SELECT ip_address FROM blocked_ips ORDER BY ip_addresscSrrrrgrrrrjbrkz$sync_blocked_ips.<locals>.<listcomp>Nr+z"echo "clear map #0" | socat stdio T<>r<>r:rr<><00>sync_blocked_ipszSynced r<>z IPs to runtime mapr")rnro<00>	total_ips<70>
synced_ipsF)r/rr0r1r2r3r4rtrIrJrMr1r<r=r0r/rrurv)r6r3r"r4r<00>iprxrrrr;UsD
<1C>
<EFBFBD><02>
<EFBFBD>"<08><02>r;cCs<00>z<>t<00>t<02>}tj|_|<00><05>}d}|<01>|<02>dd<03>|<01><07>D<00>}|<01>d<04>dd<03>|<01><07>D<00>}g}t<08>	d<06><01>
<EFBFBD>}|<05>|<06>t<0C>t<08>	d<07>j
t
d<08>}|<05>|<07>t<08>	d	<09><01>
<EFBFBD>}|<05>|<08>g}	g}
d
}|<05>|<0B>|D]<5D>}|dswt<0E>d|d
<00>d<0E><03>qezt<08>	d<0F>j
|d
|dd<10>}
|	<09>|
<0A>t<0E>d|d
<00><00><02>Wnty<>}zt<0E>d|d
<00>d|<0E><00><04>WYd}~qed}~wwzc|<01>d|df<01>dd<03>|<01><07>D<00>}|s<>t<0E>d|d<00><00><02>Wqe|ddur<>t<0E>d|d<00><00><02>|dd}t<08>	|<10>j
|d|d<1B>}nt<08>	d<1C>j
|d|d|d<1E>}|
<EFBFBD>|<11>t<0E>d|d<00><00><02>Wqet<11>y9}zt<0E>d |d<00>d|<0E><00><04>WYd}~qed}~ww|<05>d!<21>|	<09><01>t<08>	d"<22><01>
<EFBFBD>}|<05>|<12>zt<08>	d#<23><01>
<EFBFBD>}|<05>|<13>Wn"t<11>y~}zt<0E>d$|<0E><00><02>d%}|<05>|<14>WYd}~nd}~ww|<05>d!<21>|
<EFBFBD>d!<00>d&}d!<21>|<05>}t<0E>d'<27>ttd(<28><02>
}|<17>|<16>Wd<00>n	1<00>s<>wYt<18>\}}|<18>r<>t<0E>d)<29>td*d+d)<29>WdSd,|<19><00>}t<0E>|<1A>td*d-|<1A>t|<1A><01>t<11>y<>}zd.|<0E><00>}t<0E>|<1A>td*d-|<1A>d/dl}|<1B><1B><00>d}~ww)0Na[
            SELECT
                d.id as domain_id,
                d.domain,
                d.ssl_enabled,
                d.ssl_cert_path,
                d.template_override,
                b.id as backend_id,
                b.name as backend_name
            FROM domains d
            LEFT JOIN backends b ON d.id = b.domain_id
        cSrdrre)rhr<>rrrrj<00>rkz#generate_config.<locals>.<listcomp>z"SELECT ip_address FROM blocked_ipscSrrrrgrrrrj<00>rkzhap_header.tplzhap_listener.tpl)<01>crt_pathzhap_letsencrypt.tplzP    # Default backend for unmatched domains
    default_backend default-backend
r<EFBFBD>zSkipping domain r<>z - no backend namezhap_subdomain_acl.tpl)r<>r[zAdded ACL for domain: z Error generating domain ACL for rzX
                    SELECT * FROM backend_servers WHERE backend_id = ?
                r<>cSrdrre)rhr<>rrrrj<00>rkzNo servers found for backend r<>zTemplate Override is set to: z.tpl)r[r<>zhap_backend.tplr<6C>)r[r<>r<>zAdded backend block for: z#Error generating backend block for r$zhap_letsencrypt_backend.tplzhap_default_backend.tplz"Error generating default backend: z<># Default backend for unmatched domains
backend default-backend
    mode http
    option http-server-close
    server default-page 127.0.0.1:8080rzGenerated HAProxy configurationr<6E>z3Configuration generated and HAProxy reloaded safelyrTTzSafe reload failed: FzError generating config: r)r0r1r2rrrsr3r4rt<00>template_env<6E>get_template<74>renderr<72>r/r<>r'r2r(rurrK<00>debugr)r<>r*<00>reload_haproxy_safelyr/<00>	traceback<63>	print_exc)r6r3<00>queryrwr"<00>config_parts<74>default_headers<72>listener_block<63>letsencrypt_acl<63>config_acls<6C>config_backends<64>default_ruler<65><00>
domain_aclrxr<><00>
template_file<6C>
backend_block<63>letsencrypt_backend<6E>default_backend<6E>fallback_backend<6E>temp_config_path<74>config_contentrr"ror<>rErrrrT<00>s<>


<06>


<06>
<08><02><04>
<08>
<06>
<08><02>
<08><02>


<1E>


<08><02>rTc
C<00>xz tj<01>t<03>r
t<04>tt<06>tj<01>t<07>rt<04>tt<08>t	<09>
d<01>WdSty;}zt	<09>d|<00><00><02>WYd}~dSd}~ww)z-Create backup of current config and map fileszBackups created successfullyTzFailed to create backup: NF)
rIrJrMr<><00>shutil<69>copy2<79>HAPROXY_BACKUP_PATH<54>BLOCKED_IPS_MAP_PATH<54>BLOCKED_IPS_MAP_BACKUP_PATHr'r(rurr<>rrr<00>
create_backup<00>
<08><02>r]c
CrW)zRestore from backup fileszBackups restored successfullyTzFailed to restore backup: NF)
rIrJrMrZrXrYr<>r\r[r'r(rurr<>rrr<00>restore_backup%r^r_c
Cs<>z)tjdddtgddd<05>}|jdkrt<04>d<07>WdSd	|j<06><00>}t<04>|<01>d
|fWStyI}zd|<02><00>}t<04>|<01>d
|fWYd}~Sd}~ww)
z#Validate HAProxy configuration filery<00>-cr<63>Tr<54>rz'HAProxy configuration validation passed<65>TNz)HAProxy configuration validation failed: Fz!Error validating HAProxy config: N)	r<r=r<>r>r'r(r<>rrur<>rrr<00>validate_haproxy_config2s <06>


<08><02>rbc
Cs<>z<>t<00>sWdSt<01>\}}|st<02>dd|<01><00>fWStd<04>r<>zFtj<05>t<07>r1tj	dt<07><00>dddd<07>}n	tj	ddddd<07>}|j
d	krHt<0B>d
<EFBFBD>WWdSt<02>tj	dddd<0C>d
|j
<0A><00>}t<0B>|<01>d|fWWSty<>}zt<02>d|<03><00>}t<0B>|<01>d|fWYd}~WSd}~wwztj	dddddtgdddd<14>}t<0B>d<15>WWdStjy<>}zt<02>d|j
<0A><00>}t<0B>|<01>d|fWYd}~WSd}~wwty<>}zd|<03><00>}t<0B>|<01>d|fWYd}~Sd}~ww)z2Safely reload HAProxy with validation and rollback)FzFailed to create backupFzConfig validation failed: ryr,Tr<54>r<>r<00>HAProxy reloaded successfully)Trcr:zHAProxy reload failed: zCritical error during reload: Nr<4E>r<>r<>r<>r<>r<>)Tr<54>r<>z"Critical error in reload process: )r]rbr_r`rIrJrMr1r<r=r>r'r(r<>rrur<>r<>)<05>is_validr<64>r<>rxr?rrrrDCsn
<08><06>

<06>


<08><02><06>

<08><02>

<08><02>rDc
Cs<>zbt<00>t<02><01>}|<00><03>}|<01>d<01>dd<03>|<01><05>D<00>}Wd<00>n1s#wYtjtj<08>	t
<EFBFBD>dd<06>tt
d<07><02>}|D]
}|<03>|<04>d<08><02>q;Wd<00>n1sPwYt
<0A>d	t|<02><01>d
<EFBFBD><03>WdSty}}zt
<0A>d|<05><00><02>WYd}~dSd}~ww)
z-Update the blocked IPs map file from databaser9cSrrrrgrrrrj<00>rkz*update_blocked_ips_map.<locals>.<listcomp>NTr<54>r<>r$z"Updated blocked IPs map file with z IPsz"Failed to update blocked IPs map: F)r0r1r2r3r4rtrIr<>rJ<00>dirnamer[r)r*r'r(rrur)r6r3r"rr>rxrrrr/<00>s&
<1C><02><1C><08><02>r/c
C<00><>z9tj<01>t<03>r
t}nd}d|<00>d|<01><00>}tj|dddd<05>}|jdkr.t<07>d|<00>d<08><03>WdSt<07>	d	|j
<EFBFBD><00><02>Wd
StyT}zt<07>d|<04><00><02>WYd}~d
Sd}~ww)
z,Add IP to HAProxy runtime map without reloadr+zecho "add map #0 <20>" | socat stdio T<>r<>r:r<>rz	Added IP z to runtime mapz!Failed to add IP to runtime map: Fz Error adding IP to runtime map: N<>
rIrJrMr1r<r=r>r'r(r2r<>rur<00>r#r4rr?rxrrrr0<00><00> 
<08><02>r0c
Crf)
z1Remove IP from HAProxy runtime map without reloadr+zecho "del map #0 rgTrhrzRemoved IP z from runtime mapz&Failed to remove IP from runtime map: Fz$Error removing IP from runtime map: Nrirjrrrr6<00>rkr6c
CsNtd<01><01>s%z<>tj<02>t<04>st<05>d<02>WdStjdddtgddd<06>}|j	dkr<>t<05>
d|j<0B><00><02>t<05>d	<09>z
t<0C>t<05>
d
<EFBFBD>Wn+tyh}zt<05>
d|<01><00><02>t<05>d<0C>td
dd|j<0B><00><02>WYd}~WdSd}~wwtjdddtgddd<06>}|j	dkr<>t<05>
d|j<0B><00><02>t<05>d<0C>td
dd|j<0B><00><02>WdStjdddddtgdddd<14>}|j	dkr<>t<05>
d<15>td
dd<15>WdSd|j<10>d|j<0B><00>}t<05>
|<03>td
d|<03>WdStjy<>}z!d|j<10>d|j<0B><00>}t<05>
|<03>td
d|<03>t<05>d<1A>WYd}~dSd}~wt<0E>y$}zd|<04><00>}t<05>
|<03>td
d|<03>t<05>d<1A>WYd}~dSd}~wwdS)Nryz5HAProxy config file not found, skipping HAProxy startr`r<>Tr<54>rz"HAProxy configuration is invalid: z)Attempting to regenerate configuration...z&Configuration regenerated successfullyz$Failed to regenerate configuration: z2HAProxy will not start due to configuration errorsr<73>FzInvalid config: z;HAProxy configuration is still invalid after regeneration: r<>r<>r<>r<>r<>r<>r<>r<>r$z/Container will continue without HAProxy runningz#Unexpected error starting HAProxy: )r`rIrJrMr<>r'r2r<r=r>rr<>rTr(rur/r<>r<>)<05>test_result<6C>	gen_errorr?r<>rxrrrr<><00>sv


<06>


<08><02>
<06>

<06>


<08>

<08><02><04>r<EFBFBD><00>__main__z3Configuration generated successfully before startupz*Failed to generate initial configuration: )<01>Threadcs\ddlm}m<02>|t<03>}d|_|<01>d<04><01>fdd<06><08>}|<01>d<07><01>fdd	<09><08>}|jd
dd<0C>d
S)z:Run a separate Flask app on port 8080 for the default pager)rrr
r<>cs<tj<01>dd<02>}<00>dtj<01>dd<05>tj<01>dd<07>tj<01>dd	<09>d
<EFBFBD>Sr<>)rIr<>rr<>r<>rrr<>$r<>z-run_default_page_server.<locals>.default_pagez/blocked-ipcs<00>d<01>dfS)z-Serve the blocked IP page for blocked clientszblocked_ip_page.htmli<6C>rrr<>rr<00>blocked_ip_page/sz0run_default_page_server.<locals>.blocked_ip_page<67>0.0.0.0i<EFBFBD><00><02>hostr<74>N)<07>flaskrr<00>__name__<5F>template_folder<65>router=)r<00>default_appr<70>rprr<>r<00>run_default_page_servers
ry)<02>target<65>daemonrqi@rrra)Yr0rIrtrrrrr<00>pathlibrr<<00>jinja2rPr\r<00>loggingr	r+rX<00>tempfileru<00>appr2<00>TEMPLATE_DIRr<52>rZr[r\r1r<>r<>rr<00>basicConfig<69>INFO<46>FileHandler<65>
StreamHandler<65>	getLoggerr'rr/r7r@rZr`<00>FileSystemLoader<65>template_loader<65>Environmentr@rwrlr<>r<>r<>r<>r<>r<>r<>r<>r<>r<>r<>r<>rrr!r'r5r8r;rTr]r_rbrDr/r0r6r<>r(rurxr<00>	threadingrory<00>default_server_thread<61>startr=rrrr<00><module>s<><02><06>

3

 )


82

1722*

D
D<08><02><04>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								o
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								+<2B><>h<08><00>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								@sJddlZddlZddlmZmZmZmZmZddlm	Z	ddl
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								Z
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								ddlZddlZddl
Z
ddlZddlZddlmZddlZddlZddlZee<14>ZdZe	d<06>ZdZdZd	Zd
 								ZdZdZej<1E>d
<0A>Z ej!ej"de<0F>#d<0F>e<0F>$<24>gd<10>e<0F>%e<14>Z&dd<12>Z'dxdd<15>Z(dd<17>Z)dd<19>Z*dd<1B>Z+dd<1D>Z,e<0B>-e<17>Z.ej/e.d<1E>Z0ej1dd gd!<21>e'd"d#<23><00><01>Z2ej1d$d gd!<21>d%d&<26><00>Z3ej1d'd gd!<21>e'd(d)<29><00><01>Z4ej1d*d gd!<21>e'd+d,<2C><00><01>Z5ej1d-d.gd!<21>e'd/d0<64><00><01>Z6e<15>1d1<64>d2d3<64><00>Z7e<15>1d4<64>d5d6<64><00>Z8ej1d7d.gd!<21>e'd8d9<64><00><01>Z9ej1d:d.gd!<21>e'd;d<<3C><00><01>Z:ej1d=d gd!<21>e'd>d?<3F><00><01>Z;ej1d@d gd!<21>e'dAdB<64><00><01>Z<ej1dCd gd!<21>e'dDdE<64><00><01>Z=ej1dFd gd!<21>e'dGdH<64><00><01>Z>ej1dId.gd!<21>e'dJdK<64><00><01>Z?ej1d-dLgd!<21>e'dMdN<64><00><01>Z@ej1dOd gd!<21>e'dPdQ<64><00><01>ZAej1dOd.gd!<21>e'dRdS<64><00><01>ZBej1dOdLgd!<21>e'dTdU<64><00><01>ZCej1dVd.gd!<21>e'dWdX<64><00><01>ZDej1dYd.gd!<21>e'dZd[<5B><00><01>ZEd\d]<5D>ZFd^d_<64>ZGd`da<64>ZHdbdc<64>ZIddde<64>ZJdfdg<64>ZKdhdi<64>ZLdjdk<64>ZMdldm<64>ZNednk<02>r#e)<29>e*<2A>e+e<1D>z
 								eF<EFBFBD>e&<26>Odo<64>WneP<65>y<>ZQze&<26>RdpeQ<65><00><02>WYdZQ[QndZQ[QwweN<65>e*<2A>ddqlSmTZTdrds<64>ZUeTeUddt<64>ZVeV<65>W<EFBFBD>ejXdudvdw<64>dSdS)y<>N)<05>Flask<73>request<73>jsonify<66>render_template<74>	send_file)<01>Path<74><01>datetimez/etc/haproxy/haproxy_config.db<64>	templates<65>/etc/haproxy/haproxy.cfgz/etc/haproxy/haproxy.cfg.backupz/etc/haproxy/blocked_ips.mapz#/etc/haproxy/blocked_ips.map.backupz/var/run/haproxy.sockz/etc/haproxy/certs<74>HAPROXY_API_KEYz4%(asctime)s - %(name)s - %(levelname)s - %(message)sz/var/log/haproxy-manager.log)<03>level<65>format<61>handlerscst<00><01><00><01>fdd<02><08>}|S)z=Decorator to require API key authentication if API_KEY is setcs@trtj<02>d<01>}|r|dt<00><00>krtddi<01>dfS<00>|i|<01><01>S)N<>
AuthorizationzBearer <20>errorz)Unauthorized - Invalid or missing API keyi<79>)<05>API_KEYr<00>headers<72>getr)<03>args<67>kwargs<67>auth_header<65><01>f<><00>haproxy_manager.py<70>decorated_function*s
 								z+require_api_key.<locals>.decorated_function)<02>	functools<6C>wraps)rrrrr<00>require_api_key(srTcCs<>t<00><01><00><02>|||d<01>}|rt<03>d|<00>d<03><03>|St<03>d|<00>d|<02><00><04>tdd<06><02>}|<04>t<08>	|<03>d<00>Wd<00>|S1s>wY|S)	z*Log operations for monitoring and alerting)<04>	timestamp<6D>	operation<6F>successrz
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								Operation z completed successfullyz	 failed: z#/var/log/haproxy-manager-errors.log<6F>a<>
 								N)
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								r	<00>now<6F>	isoformat<61>logger<65>infor<00>open<65>write<74>json<6F>dumps)r!r"<00>
error_message<67>	log_entryrrrr<00>
log_operation3s
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<06><16>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<EFBFBD><10>r/cCsht<00>t<02><01>%}|<00><03>}|<01>d<01>|<01>d<02>|<01>d<03>|<01>d<04>|<00><05>Wd<00>dS1s-wYdS)Na
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								            CREATE TABLE IF NOT EXISTS domains (
 								                id INTEGER PRIMARY KEY,
 								                domain TEXT UNIQUE NOT NULL,
 								                ssl_enabled BOOLEAN DEFAULT 0,
 								                ssl_cert_path TEXT,
 								                template_override TEXT
 								            )
 								        a
 								            CREATE TABLE IF NOT EXISTS backends (
 								                id INTEGER PRIMARY KEY,
 								                name TEXT UNIQUE NOT NULL,
 								                domain_id INTEGER,
 								                settings TEXT,
 								                FOREIGN KEY (domain_id) REFERENCES domains (id)
 								            )
 								        a<>
 								            CREATE TABLE IF NOT EXISTS backend_servers (
 								                id INTEGER PRIMARY KEY,
 								                backend_id INTEGER,
 								                server_name TEXT NOT NULL,
 								                server_address TEXT NOT NULL,
 								                server_port INTEGER NOT NULL,
 								                server_options TEXT,
 								                FOREIGN KEY (backend_id) REFERENCES backends (id)
 								            )
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								        a"
 								            CREATE TABLE IF NOT EXISTS blocked_ips (
 								                id INTEGER PRIMARY KEY,
 								                ip_address TEXT UNIQUE NOT NULL,
 								                reason TEXT,
 								                blocked_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
 								                blocked_by TEXT
 								            )
 								        )<06>sqlite3<65>connect<63>DB_FILE<4C>cursor<6F>execute<74>commit)<02>connr3rrr<00>init_dbGs
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
 									"<22>r7cCs2tjddgdd<04>}|jdkrt<00>gd<06><01>dSdS)zVRegister with Let's Encrypt using the certbot client and agree to the terms of service<63>certbot<6F>show_accountT)<01>capture_outputr)r8<00>registerz--agree-tosz!--register-unsafely-without-emailz--no-eff-emailN)<03>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								subprocess<EFBFBD>run<75>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								returncode)<01>resultrrr<00>certbot_registerzs
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<04>r@cCstj<01>|d<01>}t|<01>tj<01>|<01>rtd<02>dSzt<00>|<00>Wn	ty'Ynwt<07><08>}t	j
 								dddddd	d
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								ddd
dddd|<02><00>gdd<12>t|d<13><02>.}dD]#}t|d<15><02>}|<03>|<05>
<0A><00>Wd<00>n1sewYt<00>|<04>qLWd<00>n1szwYt<0F>dS)z0Generate a self-signed certificate for a domain.zdefault_self_signed_cert.pemzSelf Signed Cert FoundT<64>openssl<73>reqz-x509z-newkeyzrsa:4096z-keyout<75>/tmp/key.pemz-out<75>
/tmp/cert.pemz-days<79>3650z-nodesz-subjz/CN=)<01>check<63>wb)rDrC<00>rbN)<10>os<6F>path<74>join<69>print<6E>exists<74>mkdir<69>FileExistsError<6F>socket<65>gethostnamer<r=r)r*<00>read<61>remove<76>generate_config)<06>
ssl_certs_dir<69>self_sign_cert<72>DOMAIN<49>combined<65>filerrrr<00>generate_self_signed_cert<72>s><02>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
 								<02><06>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<1C><02><1C>rZcCs*t<00>dg<01>D]}|jd|krdSqdS)N<>nameTF)<03>psutil<69>process_iterr()<02>process_name<6D>processrrr<00>is_process_running<6E>s
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<02>r`)<01>loaderz/api/domains<6E>GET)<01>methodsc
 								Cs<>z5t<00>t<02><01>}tj|_|<00><05>}|<01>d<01>Wd<00>n1swYdd<03>|<01><07>D<00>}tdd<05>t	|<02>WSt
 								yZ}ztddt|<03><01>t	dt|<03>d<08><02>d	fWYd}~Sd}~ww)
 								Nz<EFBFBD>
 								            SELECT d.*, b.name as backend_name
 								            FROM domains d
 								            LEFT JOIN backends b ON d.id = b.domain_id
 								        cS<00>g|]}t|<01><01>qSr<00><01>dict<63><02>.0<EFBFBD>rowrrr<00>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<listcomp><3E><00>zget_domains.<locals>.<listcomp><3E>get_domainsTFr<00><02>status<75>message<67><65><00>r0r1r2<00>Row<6F>row_factoryr3r4<00>fetchallr/r<00>	Exception<6F>str)r6r3<00>domains<6E>errrrl<00>s<1C>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
 								"<08><02>rlz/healthc
 								Cs<>z5td<01>}t<01>t<03><01>}|<01><04>}|<02>d<02>|<02><06>Wd<00>n1s"wYtd|r-dnddd<07><03>dfWStyR}ztd	t	|<03>d
 								<EFBFBD><02>dfWYd}~Sd}~ww)N<>haproxyzSELECT 1<>healthy<68>running<6E>stopped<65>	connected)rn<00>haproxy_status<75>database<73><65><00>	unhealthy<68>rnrrp)
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								r`r0r1r2r3r4<00>fetchonerrurv)<04>haproxy_runningr6r3rxrrr<00>health_check<63>s.
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
 								<1C>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<06><06><06><10><08><02>r<EFBFBD>z/api/regeneratec
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								Csnzt<00>tdd<02>tddi<01>dfWSty6}ztddt|<00><01>tdt|<00>d<08><02>d	fWYd}~Sd}~ww)
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								N<EFBFBD>regenerate_configTrnr"r<>F<>failedr<64>rp<00>rTr/rrurv<00>rxrrr<00>regenerate_conf<6E>s
 								<06><10><08><02>r<EFBFBD>z/api/reloadc
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								CsBzptd<01>r-tjdddddd<04>}td|j<04>d|j<05>d|j<06><00><06>tdd<03>tdd	i<01>d
 								fWStjdddd
dt	gdddd<0F>}|jdkrStd<11>tdd<03>tdd	i<01>d
 								fWSd|j<04>d|j<05><00>}t|<01>tdd|<01>td|d<17><02>dfWStj
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								y<EFBFBD>}z#d|j<04>d|j<05><00>}t|<01>tdd|<01>td|d<17><02>dfWYd}~Sd}~ww)Nry<00>,echo "reload" | socat stdio /tmp/haproxy-cliT)rFr:<00>text<78>shellzReload result: z, <20>reload_haproxyrnr"r<><00>-W<>-S<>/tmp/haproxy-cli,level,admin<69>-f<>rFr:r<>r<00>HAProxy started successfully<6C>
start_haproxy<78> HAProxy start command returned: <20>
 								Error output: Fr<46>r<>rp<00>Failed to start HAProxy: r$)r`r<r=rL<00>stdout<75>stderrr>r/r<00>HAPROXY_CONFIG_PATH<54>CalledProcessError<6F>r?<00>	error_msgrxrrrr<><00>s:<06>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<06>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<08><02>r<EFBFBD>z/api/domain<69>POSTcCsnt<00><01>}|<00>d<01>}|<00>d<02>}|<00>d<03>}|<00>dg<00>}|r|s,tddd<07>tddd	<09><02>d
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								fSzet<05>t<07><01>;}|<05><08>}|<06>	d||f<02>|j
 								}|<06>	d||f<02>|j
 								}|D]}	|<06>	d
||	d|	d|	d|	<09>d<11>f<05>qOWd<00>n1spwY|<06><0B>|<05><0B>t<0C>tddd|<01>d<14><03>td|d<16><02>WSt
y<>}
 								ztddt|
 								<EFBFBD><01>tdt|
 								<EFBFBD>d	<09><02>dfWYd}
 								~
 								Sd}
 								~
 								ww)N<>domain<69>template_override<64>backend_name<6D>servers<72>
 								add_domainFz$Domain and backend_name are requiredrrm<00><>z=INSERT INTO domains (domain, template_override) VALUES (?, ?)z4INSERT INTO backends (name, domain_id) VALUES (?, ?)z<>
 								                    INSERT INTO backend_servers
 								                    (backend_id, server_name, server_address, server_port, server_options)
 								                    VALUES (?, ?, ?, ?, ?)
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								                r[<00>address<73>port<72>optionsT<73>Domain z added successfullyr")rn<00>	domain_idrp)r<00>get_jsonrr/rr0r1r2r3r4<00>	lastrowid<69>closerTrurv)<0B>datar<61>r<>r<>r<>r6r3r<><00>
 								backend_id<EFBFBD>serverrxrrrr<>sF
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<04><02><06><02><1C>"<08><02>r<EFBFBD><00>/cCstd<01>S)Nz
 								index.html<6D>rrrrr<00>index.sr<>z
/default-pagecCs<tj<01>dd<02>}tdtj<01>dd<05>tj<01>dd<07>tj<01>dd	<09>d
 								<EFBFBD>S<00>z,Serve the default page for unmatched domains<6E>HAPROXY_ADMIN_EMAILzadmin@example.comzdefault_page.html<6D>HAPROXY_DEFAULT_PAGE_TITLEzSite Not Configured<65>HAPROXY_DEFAULT_MAIN_MESSAGEziThis domain has not been configured yet. Please contact your system administrator to set up this website.<2E>!HAPROXY_DEFAULT_SECONDARY_MESSAGEzLIf you believe this is an error, please check the domain name and try again.)<03>
 								page_title<EFBFBD>main_message<67>secondary_message)rI<00>environrr<00><01>admin_emailrrr<00>default_page2<00><06>r<EFBFBD>z/api/sslc
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								Cs<>t<00><01>}|<00>d<01>}|stddd<04>tddd<07><02>dfSz<>tjd	d
 								ddd
ddd|g	ddd<12>}|jdkr<>d|<01>d<15>}d|<01>d<16>}t<08>d|<01>d<18>}t	j
 								tdd<19>t|d<1A><02>}tjd||g|d<1C>Wd<00>n1sfwYt<0C>
t<0E><01>}|<07><0F>}|<08>d||f<02>Wd<00>n1s<>wY|<08><11>|<07><11>t<12>tddd|<01><00><02>td ||d!d"<22><04>WSd#|j<13><00>}	tdd|	<09>td|	d<07><02>d$fWSty<>}
 								ztddt|
 								<EFBFBD><01>tdt|
 								<EFBFBD>d<07><02>d$fWYd}
 								~
 								Sd}
 								~
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								ww)%zBLegacy endpoint for requesting SSL certificate for a single domainr<6E><00>request_sslFzDomain not providedr<00>Domain is requiredrmr<>r8<00>certonly<6C>-n<>--standalone<6E>--preferred-challenges<65>http<74>--http-01-port=8688<38>-dT<64>r:r<>r<00>/etc/letsencrypt/live/<2F>/fullchain.pem<65>/privkey.pemr<6D><00>.pem<65><01>exist_ok<6F>w<>cat<61>r<>Nz<4E>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								                    UPDATE domains
 								                    SET ssl_enabled = 1, ssl_cert_path = ?
 								                    WHERE domain = ?
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								                zSSL certificate obtained for r"<00>!Certificate obtained successfully)rnr<><00>	cert_pathroz"Failed to obtain SSL certificate: rp)rr<>rr/rr<r=r><00>
SSL_CERTS_DIRrI<00>makedirsr)r0r1r2r3r4r<>rTr<>rurv)r<>r<>r?r<><00>key_path<74>
combined_pathrXr6r3r<>rxrrrr<>=sZ
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<02><06>
 								<1C><06><1C>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<EFBFBD>"<08><02>r<EFBFBD>z/api/certificates/renewc
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								Csz<>tjgd<01>ddd<03>}|jdkr<>d|jvsd|jvr<>t<04>t<06><01>[}|<01><07>}|<02>d<07>|<02>	<09>}|D]C\}}|rrt
 								j<0B>|<05>rrd|<04>d	<09>}d|<04>d
 								<EFBFBD>}t
 								j<0B>|<06>rrt
 								j<0B>|<07>rrt
|d<0B><02>}tjd||g|d
<0A>Wd<00>n1smwYq/Wd<00>n1s}wYt<0E>tjddddd<10>}	|	jdkr<>tddd<12>tddd<14><02>WSd|	j<11><00>}
 								tdd|
 								<EFBFBD>td|
 								d<14><02>dfWStddd<19>tddd<14><02>WSd|j<11><00>}
 								tdd|
 								<EFBFBD>td|
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								d<14><02>dfWSty<>}ztddt|<0B><01>tdt|<0B>d<14><02>dfWYd}~Sd}~ww)z)Renew all certificates and reload HAProxy)r8<00>renewz--quietTr<54>r<00>Congratulations<6E>renewedz?SELECT domain, ssl_cert_path FROM domains WHERE ssl_enabled = 1r<31>r<>r<>r<>r<>r<>Nr<4E><00>r:r<>r<><00>renew_certificatesz)Certificates renewed and HAProxy reloadedr"rmz0Certificates renewed but HAProxy reload failed: F<>partial_successrpzNo certificates needed renewalzCertificate renewal failed: r)r<r=r>r<>r0r1r2r3r4rtrIrJrMr)rTr/rr<>rurv)r?r6r3rwr<>r<><00>letsencrypt_cert<72>letsencrypt_keyrX<00>
reload_resultr<74>rxrrrr<>wsR
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<06>
 								<1C><02><02><1C><06>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								"<08><02>r<EFBFBD>z#/api/certificates/<domain>/downloadc
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								Cs&zmt<00>t<02><01>]}|<01><03>}|<02>d|f<01>|<02><05>}|r|ds-tddd<05><02>dfWd<00>WS|d}tj<08>	|<04>sHtddd<05><02>dfWd<00>WSt
 								d	d
 								d|<00><00><02>t|d
 								|<00>d<0C>d
<0A>Wd<00>WS1sfwYWdSty<>}zt
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								d	dt
|<05><01>tdt
|<05>d<05><02>dfWYd}~Sd}~ww)z3Download the combined certificate file for a domainzFSELECT ssl_cert_path FROM domains WHERE domain = ? AND ssl_enabled = 1rr<00> Certificate not found for domainrm<00><>NzCertificate file not found<6E>download_certificateTzCertificate downloaded for r<><00><02>
as_attachment<6E>
download_nameFrp)r0r1r2r3r4r<>rrIrJrMr/rrurv)r<>r6r3r?r<>rxrrrr<><00>s(<12><12>(<28>"<08><02>r<EFBFBD>z/api/certificates/<domain>/keyc
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								C<00><>z*d|<00>d<02>}tj<01>|<01>stddd<05><02>dfWStddd	|<00><00><02>t|d|<00>d
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<EFBFBD>d<0B>WStyO}ztddt|<02><01>tdt|<02>d<05><02>d
fWYd}~Sd}~ww)z%Download the private key for a domainr<6E>r<>rz Private key not found for domainrmr<><00>download_private_keyTzPrivate key downloaded for z_key.pemr<6D>FrpN<>rIrJrMrr/rrurv)r<>r<>rxrrrr<><00><00>"<08><02>r<EFBFBD>z/api/certificates/<domain>/certc
 								Cr<>)z@Download only the certificate (without private key) for a domainr<6E>r<>rr<>rmr<><00>download_cert_onlyTz"Certificate (only) downloaded for z	_cert.pemr<6D>FrpNr<4E>)r<>r<>rxrrrr<><00>r<>r<>z/api/certificates/statuscCs<>z<>t<00>t<02><01><>}|<00><03>}|<01>d<01>|<01><05>}g}|D]\}}}|t|<05>|ddd<03>}|r<>tj<08>	|<06>r<>zJt
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								jddd|ddgd	d	d
 								<EFBFBD>}|jdkrx|j
<0A>d<0C>D].}	d
|	vrw|	<09>d<0E>d<00><0F>}
 								ddlm}|<0B>|
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								d<11>}|<0C><12>|d<||<0B><13>j}
|
|d<nqIWnty<>}zt|<0E>|d<WYd}~nd}~ww|<03>|<07>qtdd	<09>td|i<01>Wd<00>WS1s<>wYWdSty<>}ztddt|<0E><01>tdt|<0E>d<18><02>dfWYd}~Sd}~ww)z9Get status of all certificates including expiration dateszLSELECT domain, ssl_enabled, ssl_cert_path FROM domains WHERE ssl_enabled = 1N)r<><00>ssl_enabledr<64><00>expires<65>days_until_expiryrA<00>x509z-inz-nooutz-datesTr<54>rr$z	notAfter=<3D>=<3D>rz%b %d %H:%M:%S %Y %Zr<5A>r<>r<00>get_certificate_status<75>certificatesFrmrp)r0r1r2r3r4rt<00>boolrIrJrMr<r=r>r<><00>split<69>stripr	<00>strptimer&r%<00>daysrurv<00>appendr/r)r6r3rw<00>cert_statusr<73>r<>r<>rnr?<00>line<6E>expiry_date_strr	<00>expiry_date<74>
 								days_untilrxrrrr<><00>sZ
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<06><02><06>
 								<02><04>
 								<08><02>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								(<28>*"<08><02>r<EFBFBD>z/api/certificates/requestcCs&t<00><01>}|<00>dg<00>}|<00>dd<03>}|<00>dd<05>}|s'tddd<07>tdd	d
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<EFBFBD><02>dfSt|t<06>s/|g}g}d}d}|D]<5D>}z<>|g}|rL|<07>d
<0A>sL|<08>d
|<07><00><02>gd<0E>}	|rW|	<09>d<0F>|D]	}
 								|	<09>	d|
 								g<02>qYt
 								j|	ddd<11>}|jdkr<>d|<07>d<13>}d|<07>d<14>}
t
<0A>d|<07>d<16>}tjt
dd<17>t|d<18><02>}t
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								jd||
g|d<1A>Wd<00>n1s<>wYt<11>t<13><01>*}|<10><14>}|<11>d|f<01>|<11><16>}|r<>|<11>d||f<02>n|<11>d||f<02>Wd<00>n1s<>wY|<04>|dd ||d!<21><05>|d"7}nd#|<07>d$|j<17><00>}|<04>|d||jd%<25><04>|d"7}Wq7t<18>y4}zd&|<07>d$t|<14><01><00>}|<04>|d|d'<27><03>|d"7}WYd}~q7d}~ww|dk<04>rkzt<1A>tddd(|<05>d)|<06>d*<2A><05>Wnt<18>yj}ztddd+t|<14><01><00><02>WYd}~nd}~wwd,t|<01>||d-<2D>|d.<2E>}|dk<02>r<>t|<15>d/fS|dk<04>r<>t|<15>d0fSt|<15>d1fS)2z6Request certificate generation for one or more domainsrw<00>
force_renewalF<6C>include_wwwT<77>request_certificateszNo domains providedrzAt least one domain is requiredrmr<>rzwww.)r8r<>r<>r<>r<>r<>r<>z--force-renewalr<6C>r<>r<>r<>r<>r<>r<>r<>r<>r<>r<>N<>'SELECT id FROM domains WHERE domain = ?z<>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								                            UPDATE domains
 								                            SET ssl_enabled = 1, ssl_cert_path = ?
 								                            WHERE domain = ?
 								                        z<>
 								                            INSERT INTO domains (domain, ssl_enabled, ssl_cert_path)
 								                            VALUES (?, 1, ?)
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								                        r"r<>)r<>rnror<><00>domains_coveredr<64>z!Failed to obtain certificate for <20>: )r<>rnror<>zException while processing )r<>rnrozSuccessfully obtained z certificates, z failedz4Certificates obtained but config generation failed: <20>	completed)<03>total<61>
 								successfulr<EFBFBD>)rn<00>summary<72>resultsr<73><00><>rp)rr<>rr/r<00>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								isinstance<EFBFBD>list<73>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								startswithr<EFBFBD><00>extendr<r=r>r<>rIr<>r)r0r1r2r3r4r<>r<>rurvrT<00>len)r<>rwrrr<00>
success_count<6E>error_countr<74><00>certbot_domains<6E>cmd<6D>dr?r<>r<>r<>rXr6r3<00>
domain_existsr<73>rx<00>responserrrrs<>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
 								<1C><06><04><02><1C><08>
 								<08><04><08><08><02>
 								"<08><02><04><06>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								r<00>DELETEc
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
 								Cs<>t<00><01>}|<00>d<01>}|stddd<04>tddd<06><02>dfSz<>t<05>t<07><01><>}|<02><08>}|<03>	d|f<01>|<03>
 								<EFBFBD>}|sMtddd	|<01>d
 								<EFBFBD><03>tddd<06><02>dfWd<00>WS|d
}|<03>	d|f<01>dd<10>|<03><0B>D<00>}|D]	}|<03>	d|f<01>qc|<03>	d|f<01>|<03>	d|f<01>|<03>	d|f<01>|<03>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<EFBFBD>}|r<>|d
r<>z	t<0C>
|d
<00>Wn	ty<>YnwWd<00>n1s<>wYt<0F>tddd	|<01>d<16><03>tddd<06><02>WSty<>}	ztddt|	<09><01>tdt|	<09>d<06><02>dfWYd}	~	Sd}	~	ww)Nr<4E><00>
remove_domainFr<46>rrmr<>rr<>z
 								 not foundzDomain not foundr<64>rz+SELECT id FROM backends WHERE domain_id = ?cS<00>g|]}|d<00>qS<00>rrrgrrrrj<00>rkz!remove_domain.<locals>.<listcomp>z0DELETE FROM backend_servers WHERE backend_id = ?z(DELETE FROM backends WHERE domain_id = ?z DELETE FROM domains WHERE id = ?zBSELECT ssl_cert_path FROM domains WHERE id = ? AND ssl_enabled = 1Tz removed successfullyr"zDomain configuration removedrp)rr<>rr/rr0r1r2r3r4r<>rtrIrS<00>OSErrorrTrurv)
 								r<EFBFBD>r<>r6r3<00>
domain_resultr<74><00>backend_idsr<73><00>cert_resultrxrrrr<00>sN
 								<12><02><02><1C>%"<08><02>rz/api/blocked-ipsc
 								Cs<>z8t<00>t<02><01>(}tj|_|<00><05>}|<01>d<01>dd<03>|<01><07>D<00>}tdd<05>t	|<02>Wd<00>WS1s1wYWdSt
 								y]}ztddt|<03><01>t	dt|<03>d	<09><02>d
 								fWYd}~Sd}~ww)zGet all blocked IP addressesz2SELECT * FROM blocked_ips ORDER BY blocked_at DESCcSrdrrergrrrrj<00>rkz#get_blocked_ips.<locals>.<listcomp><3E>get_blocked_ipsTNFrrmrprq)r6r3<00>blocked_ipsrxrrrr!<00>s
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								(<28>"<08><02>r!c
 								Cst<00><01>}|<00>d<01>}|<00>dd<03>}|<00>dd<05>}|s&tddd<08>td	dd
 								<EFBFBD><02>dfSz<>t<05>t<07><01>}|<04><08>}|<05>	d|||f<03>|j
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								}Wd
<00>n1sGwYt<0B>sbtddd|<01><00><02>td	dd
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<EFBFBD><02>dfWSt|<01>z.t
d<11>r<>tj<0F>t<11>rtt}nd}tjd|<07><00>dddd<15>}|jdkr<>t<15>d|<01>d|j<17><00><04>Wnty<>}	zt<15>d|<01>d|	<09><00><04>WYd
}	~	nd
}	~	wwtddd|<01>d<1B><03>td|d|<01>d<1D>d<1E><03>WStjy<>tddd|<01>d<1F><03>td	d d
 								<EFBFBD><02>d!fYSt<18>y
 								}	ztddt|	<09><01>td	t|	<09>d
 								<EFBFBD><02>dfWYd
}	~	Sd
}	~	ww)"z%Add an IP address to the blocked list<73>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								ip_address<EFBFBD>reasonzNo reason provided<65>
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								blocked_by<EFBFBD>API<50>add_blocked_ipF<70>IP address is requiredrrmr<>zIINSERT INTO blocked_ips (ip_address, reason, blocked_by) VALUES (?, ?, ?)N<>Failed to update map file for <20>%Failed to update blocked IPs map filerpry<00>/tmp/haproxy-cli<6C>echo "reload" | socat stdio Tr<54>rz(HAProxy reload failed after blocking IP rz*Error reloading HAProxy after blocking IP <20>IP z blocked successfullyr"z has been blocked)rn<00>
blocked_ip_idroz is already blockedzIP address is already blockedi<64>)rr<>rr/rr0r1r2r3r4r<><00>update_blocked_ips_map<61>add_ip_to_runtime_mapr`rIrJrM<00>HAPROXY_SOCKET_PATHr<r=r>r'<00>warningr<67>ru<00>IntegrityErrorrv)
 								r<EFBFBD>r#r$r%r6r3r.<00>socket_pathr<68>rxrrrr'<00>sX
 								<04><1C><06>
 								<04>"<08><02>"<08><02>r'c
 								Cs
 								t<00><01>}|<00>d<01>}|stddd<04>tddd<06><02>dfSz<>t<05>t<07><01>;}|<02><08>}|<03>	d|f<01>|<03>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<EFBFBD>}|sMtddd	|<01>d
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<EFBFBD><03>tddd<06><02>dfWd
<00>WS|<03>	d|f<01>Wd
<00>n1s^wYt<0B>sytddd|<01><00><02>tddd<06><02>dfWSt|<01>z.t
d<12>r<>tj<0F>t<11>r<>t}nd}tjd|<05><00>dddd<16>}|jdkr<>t<15>d|<01>d|j<17><00><04>Wnty<>}zt<15>d|<01>d|<07><00><04>WYd
}~nd
}~wwtddd	|<01>d<1B><03>tdd	|<01>d<1D>d<06><02>WSt<18>y}ztddt|<07><01>tdt|<07>d<06><02>dfWYd
}~Sd
}~ww)z*Remove an IP address from the blocked listr#<00>remove_blocked_ipFr(rrmr<>z/SELECT id FROM blocked_ips WHERE ip_address = ?r-z not found in blocked listz$IP address not found in blocked listr<74>Nz,DELETE FROM blocked_ips WHERE ip_address = ?r)r*rpryr+r,Tr<54>rz*HAProxy reload failed after unblocking IP rz,Error reloading HAProxy after unblocking IP z unblocked successfullyr"z has been unblocked)rr<>rr/rr0r1r2r3r4r<>r/<00>remove_ip_from_runtime_mapr`rIrJrMr1r<r=r>r'r2r<>rurv)r<>r#r6r3<00>	ip_resultr4r<>rxrrrr5sT
 								<12>	<1C><06>
 								<04>"<08><02>"<08><02>r5z/api/config/reloadc
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								Csnzt<00>tddd<03>tddd<06><02>WSty6}ztddt|<00><01>tdt|<00>d<06><02>d	fWYd
 								}~Sd
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								}~ww)z@Safely reload HAProxy configuration with validation and rollback<63>reload_config_safelyTzConfiguration reloaded safelyr"z%HAProxy configuration reloaded safelyrmFrrpNr<4E>r<>rrrr8Gs"<08><02>r8z/api/blocked-ips/syncc
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								CsTz<>t<00>stddd<03><02>dfWSt<02>t<04><01>}|<00><05>}|<01>d<05>dd<07>|<01><07>D<00>}Wd<00>n1s0wYztj	<09>
 								t<0B>r?t}nd	}tj
d
 								|<03><00>ddd<0C>WnYd
}|D]
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								}t|<05>r`|d7}qVtddd|<04>dt|<02><01>d<12><05>tdd|<04>dt|<02><01>d<12>t|<02>|d<14><04>WSty<>}ztddt|<06><01>tdt|<06>d<03><02>dfWYd}~Sd}~ww)z-Sync blocked IPs from database to runtime maprzFailed to update map filermrp<00>6SELECT ip_address FROM blocked_ips ORDER BY ip_addresscSrrrrgrrrrjbrkz$sync_blocked_ips.<locals>.<listcomp>Nr+z"echo "clear map #0" | socat stdio T<>r<>r:rr<><00>sync_blocked_ipszSynced r<>z IPs to runtime mapr")rnro<00>	total_ips<70>
 								synced_ipsF)r/rr0r1r2r3r4rtrIrJrMr1r<r=r0r/rrurv)r6r3r"r4r<00>iprxrrrr;UsD
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<1C>
 								<EFBFBD><02>
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<EFBFBD>"<08><02>r;cCs<00>z<>t<00>t<02>}tj|_|<00><05>}d}|<01>|<02>dd<03>|<01><07>D<00>}|<01>d<04>dd<03>|<01><07>D<00>}g}t<08>	d<06><01>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<EFBFBD>}|<05>|<06>t<0C>t<08>	d<07>j
 								t
d<08>}|<05>|<07>t<08>	d	<09><01>
 								<EFBFBD>}|<05>|<08>g}	g}
 								d
 								}|<05>|<0B>|D]<5D>}|dswt<0E>d|d
<00>d<0E><03>qezt<08>	d<0F>j
 								|d
|dd<10>}
|	<09>|
<0A>t<0E>d|d
<00><00><02>Wnty<>}zt<0E>d|d
<00>d|<0E><00><04>WYd}~qed}~wwzc|<01>d|df<01>dd<03>|<01><07>D<00>}|s<>t<0E>d|d<00><00><02>Wqe|ddur<>t<0E>d|d<00><00><02>|dd}t<08>	|<10>j
 								|d|d<1B>}nt<08>	d<1C>j
 								|d|d|d<1E>}|
 								<EFBFBD>|<11>t<0E>d|d<00><00><02>Wqet<11>y9}zt<0E>d |d<00>d|<0E><00><04>WYd}~qed}~ww|<05>d!<21>|	<09><01>t<08>	d"<22><01>
 								<EFBFBD>}|<05>|<12>zt<08>	d#<23><01>
 								<EFBFBD>}|<05>|<13>Wn"t<11>y~}zt<0E>d$|<0E><00><02>d%}|<05>|<14>WYd}~nd}~ww|<05>d!<21>|
 								<EFBFBD>d!<00>d&}d!<21>|<05>}t<0E>d'<27>ttd(<28><02>
}|<17>|<16>Wd<00>n	1<00>s<>wYt<18>\}}|<18>r<>t<0E>d)<29>td*d+d)<29>WdSd,|<19><00>}t<0E>|<1A>td*d-|<1A>t|<1A><01>t<11>y<>}zd.|<0E><00>}t<0E>|<1A>td*d-|<1A>d/dl}|<1B><1B><00>d}~ww)0Na[
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								            SELECT
 								                d.id as domain_id,
 								                d.domain,
 								                d.ssl_enabled,
 								                d.ssl_cert_path,
 								                d.template_override,
 								                b.id as backend_id,
 								                b.name as backend_name
 								            FROM domains d
 								            LEFT JOIN backends b ON d.id = b.domain_id
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								        cSrdrre)rhr<>rrrrj<00>rkz#generate_config.<locals>.<listcomp>z"SELECT ip_address FROM blocked_ipscSrrrrgrrrrj<00>rkzhap_header.tplzhap_listener.tpl)<01>crt_pathzhap_letsencrypt.tplzP    # Default backend for unmatched domains
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								    default_backend default-backend
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								r<EFBFBD>zSkipping domain r<>z - no backend namezhap_subdomain_acl.tpl)r<>r[zAdded ACL for domain: z Error generating domain ACL for rzX
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								                    SELECT * FROM backend_servers WHERE backend_id = ?
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								                r<>cSrdrre)rhr<>rrrrj<00>rkzNo servers found for backend r<>zTemplate Override is set to: z.tpl)r[r<>zhap_backend.tplr<6C>)r[r<>r<>zAdded backend block for: z#Error generating backend block for r$zhap_letsencrypt_backend.tplzhap_default_backend.tplz"Error generating default backend: z<># Default backend for unmatched domains
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								backend default-backend
 								    mode http
 								    option http-server-close
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								    server default-page 127.0.0.1:8080rzGenerated HAProxy configurationr<6E>z3Configuration generated and HAProxy reloaded safelyrTTzSafe reload failed: FzError generating config: r)r0r1r2rrrsr3r4rt<00>template_env<6E>get_template<74>renderr<72>r/r<>r'r2r(rurrK<00>debugr)r<>r*<00>reload_haproxy_safelyr/<00>	traceback<63>	print_exc)r6r3<00>queryrwr"<00>config_parts<74>default_headers<72>listener_block<63>letsencrypt_acl<63>config_acls<6C>config_backends<64>default_ruler<65><00>
 								domain_aclrxr<><00>
template_file<6C>
backend_block<63>letsencrypt_backend<6E>default_backend<6E>fallback_backend<6E>temp_config_path<74>config_contentrr"ror<>rErrrrT<00>s<>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
+								<06>
 								<06>
 								<08><02><04>
 								<08>
 								<06>
 								<08><02>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<08><02>
 								<1E>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<08><02>rTc
 								C<00>xz tj<01>t<03>r
t<04>tt<06>tj<01>t<07>rt<04>tt<08>t	<09>
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								d<01>WdSty;}zt	<09>d|<00><00><02>WYd}~dSd}~ww)z-Create backup of current config and map fileszBackups created successfullyTzFailed to create backup: NF)
rIrJrMr<><00>shutil<69>copy2<79>HAPROXY_BACKUP_PATH<54>BLOCKED_IPS_MAP_PATH<54>BLOCKED_IPS_MAP_BACKUP_PATHr'r(rurr<>rrr<00>
create_backup<00>
 								<08><02>r]c
 								CrW)zRestore from backup fileszBackups restored successfullyTzFailed to restore backup: NF)
rIrJrMrZrXrYr<>r\r[r'r(rurr<>rrr<00>restore_backup%r^r_c
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								Cs<>z)tjdddtgddd<05>}|jdkrt<04>d<07>WdSd	|j<06><00>}t<04>|<01>d
 								|fWStyI}zd|<02><00>}t<04>|<01>d
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								|fWYd}~Sd}~ww)
z#Validate HAProxy configuration filery<00>-cr<63>Tr<54>rz'HAProxy configuration validation passed<65>TNz)HAProxy configuration validation failed: Fz!Error validating HAProxy config: N)	r<r=r<>r>r'r(r<>rrur<>rrr<00>validate_haproxy_config2s <06>
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<08><02>rbc
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								Cs<>z<>t<00>sWdSt<01>\}}|st<02>dd|<01><00>fWStd<04>r<>zFtj<05>t<07>r1tj	dt<07><00>dddd<07>}n	tj	ddddd<07>}|j
 								d	krHt<0B>d
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<EFBFBD>WWdSt<02>tj	dddd<0C>d
|j
<0A><00>}t<0B>|<01>d|fWWSty<>}zt<02>d|<03><00>}t<0B>|<01>d|fWYd}~WSd}~wwztj	dddddtgdddd<14>}t<0B>d<15>WWdStjy<>}zt<02>d|j
<0A><00>}t<0B>|<01>d|fWYd}~WSd}~wwty<>}zd|<03><00>}t<0B>|<01>d|fWYd}~Sd}~ww)z2Safely reload HAProxy with validation and rollback)FzFailed to create backupFzConfig validation failed: ryr,Tr<54>r<>r<00>HAProxy reloaded successfully)Trcr:zHAProxy reload failed: zCritical error during reload: Nr<4E>r<>r<>r<>r<>r<>)Tr<54>r<>z"Critical error in reload process: )r]rbr_r`rIrJrMr1r<r=r>r'r(r<>rrur<>r<>)<05>is_validr<64>r<>rxr?rrrrDCsn
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<08><06>
 								<06>
 								<08><02><06>
 								<08><02>
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<08><02>rDc
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								Cs<>zbt<00>t<02><01>}|<00><03>}|<01>d<01>dd<03>|<01><05>D<00>}Wd<00>n1s#wYtjtj<08>	t
 								<EFBFBD>dd<06>tt
 								d<07><02>}|D]
 								}|<03>|<04>d<08><02>q;Wd<00>n1sPwYt
<0A>d	t|<02><01>d
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<EFBFBD><03>WdSty}}zt
<0A>d|<05><00><02>WYd}~dSd}~ww)
z-Update the blocked IPs map file from databaser9cSrrrrgrrrrj<00>rkz*update_blocked_ips_map.<locals>.<listcomp>NTr<54>r<>r$z"Updated blocked IPs map file with z IPsz"Failed to update blocked IPs map: F)r0r1r2r3r4rtrIr<>rJ<00>dirnamer[r)r*r'r(rrur)r6r3r"rr>rxrrrr/<00>s&
 								<1C><02><1C><08><02>r/c
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								C<00><>z9tj<01>t<03>r
 								t}nd}d|<00>d|<01><00>}tj|dddd<05>}|jdkr.t<07>d|<00>d<08><03>WdSt<07>	d	|j
 								<EFBFBD><00><02>Wd
 								StyT}zt<07>d|<04><00><02>WYd}~d
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								Sd}~ww)
z,Add IP to HAProxy runtime map without reloadr+zecho "add map #0 <20>" | socat stdio T<>r<>r:r<>rz	Added IP z to runtime mapz!Failed to add IP to runtime map: Fz Error adding IP to runtime map: N<>
rIrJrMr1r<r=r>r'r(r2r<>rur<00>r#r4rr?rxrrrr0<00><00>
 								<08><02>r0c
 								Crf)
z1Remove IP from HAProxy runtime map without reloadr+zecho "del map #0 rgTrhrzRemoved IP z from runtime mapz&Failed to remove IP from runtime map: Fz$Error removing IP from runtime map: Nrirjrrrr6<00>rkr6c
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								CsNtd<01><01>s%z<>tj<02>t<04>st<05>d<02>WdStjdddtgddd<06>}|j	dkr<>t<05>
 								d|j<0B><00><02>t<05>d	<09>z
 								t<0C>t<05>
d
 								<EFBFBD>Wn+tyh}zt<05>
 								d|<01><00><02>t<05>d<0C>td
dd|j<0B><00><02>WYd}~WdSd}~wwtjdddtgddd<06>}|j	dkr<>t<05>
 								d|j<0B><00><02>t<05>d<0C>td
dd|j<0B><00><02>WdStjdddddtgdddd<14>}|j	dkr<>t<05>
d<15>td
dd<15>WdSd|j<10>d|j<0B><00>}t<05>
 								|<03>td
d|<03>WdStjy<>}z!d|j<10>d|j<0B><00>}t<05>
 								|<03>td
d|<03>t<05>d<1A>WYd}~dSd}~wt<0E>y$}zd|<04><00>}t<05>
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								|<03>td
d|<03>t<05>d<1A>WYd}~dSd}~wwdS)Nryz5HAProxy config file not found, skipping HAProxy startr`r<>Tr<54>rz"HAProxy configuration is invalid: z)Attempting to regenerate configuration...z&Configuration regenerated successfullyz$Failed to regenerate configuration: z2HAProxy will not start due to configuration errorsr<73>FzInvalid config: z;HAProxy configuration is still invalid after regeneration: r<>r<>r<>r<>r<>r<>r<>r<>r$z/Container will continue without HAProxy runningz#Unexpected error starting HAProxy: )r`rIrJrMr<>r'r2r<r=r>rr<>rTr(rur/r<>r<>)<05>test_result<6C>	gen_errorr?r<>rxrrrr<><00>sv
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
 								<06>
 								<08><02>
 								<06>
 								<06>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								<08>
 								<08><02><04>r<EFBFBD><00>__main__z3Configuration generated successfully before startupz*Failed to generate initial configuration: )<01>Threadcs\ddlm}m<02>|t<03>}d|_|<01>d<04><01>fdd<06><08>}|<01>d<07><01>fdd	<09><08>}|jd
 								dd<0C>d
S)z:Run a separate Flask app on port 8080 for the default pager)rrr
 								r<>cs<tj<01>dd<02>}<00>dtj<01>dd<05>tj<01>dd<07>tj<01>dd	<09>d
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+								<EFBFBD>Sr<>)rIr<>rr<>r<>rrr<>$r<>z-run_default_page_server.<locals>.default_pagez/blocked-ipcs<00>d<01>dfS)z-Serve the blocked IP page for blocked clientszblocked_ip_page.htmli<6C>rrr<>rr<00>blocked_ip_page/sz0run_default_page_server.<locals>.blocked_ip_page<67>0.0.0.0i<EFBFBD><00><02>hostr<74>N)<07>flaskrr<00>__name__<5F>template_folder<65>router=)r<00>default_appr<70>rprr<>r<00>run_default_page_servers
 								ry)<02>target<65>daemonrqi@rrra)Yr0rIrtrrrrr<00>pathlibrr<<00>jinja2rPr\r<00>loggingr	r+rX<00>tempfileru<00>appr2<00>TEMPLATE_DIRr<52>rZr[r\r1r<>r<>rr<00>basicConfig<69>INFO<46>FileHandler<65>
StreamHandler<65>	getLoggerr'rr/r7r@rZr`<00>FileSystemLoader<65>template_loader<65>Environmentr@rwrlr<>r<>r<>r<>r<>r<>r<>r<>r<>r<>r<>r<>rrr!r'r5r8r;rTr]r_rbrDr/r0r6r<>r(rurxr<00>	threadingrory<00>default_server_thread<61>startr=rrrr<00><module>s<><02><06>
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
-												Fix HAProxy 2.6 compatibility for default backend

- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response

											
										
										
											2025-07-11 19:27:42 -07:00
 								 )
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
-												Fix HAProxy 3.0 compatibility issues in tarpit configuration

- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule

These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-23 18:30:34 -07:00
+

1722*

D
-												CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

											
										
										
											2025-08-22 08:31:17 -07:00
+								D<08><02><04>