Add safeguards to prevent false positive blocking
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
- Handle common missing files (favicon.ico, robots.txt) without counting as errors - Return 404 directly from frontend for these files (bypasses backend counting) - Add clear-ip.sh script to remove specific IPs from stick-table - Keep trusted networks whitelist for local/private IPs This prevents legitimate users from being blocked due to browser requests for common files that don't exist. Usage: ./scripts/clear-ip.sh <IP_ADDRESS> 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
49
scripts/clear-ip.sh
Executable file
49
scripts/clear-ip.sh
Executable file
@@ -0,0 +1,49 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Script to clear a specific IP from HAProxy stick-table
|
||||
# Usage: ./clear-ip.sh <IP_ADDRESS>
|
||||
|
||||
if [ $# -ne 1 ]; then
|
||||
echo "Usage: $0 <IP_ADDRESS>"
|
||||
echo "Example: $0 192.168.1.100"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
IP="$1"
|
||||
SOCKET="/tmp/haproxy-cli"
|
||||
|
||||
# Check if socket exists
|
||||
if [ ! -S "$SOCKET" ]; then
|
||||
echo "Error: HAProxy socket not found at $SOCKET"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Get worker process ID
|
||||
PROCESS_ID=$(echo "show proc" | socat stdio "$SOCKET" 2>/dev/null | grep -E '^[0-9]+.*worker' | awk '{print $1}' | head -1)
|
||||
|
||||
if [ -z "$PROCESS_ID" ]; then
|
||||
echo "Error: Could not find HAProxy worker process"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Clearing IP $IP from stick-table..."
|
||||
|
||||
# Clear the IP from the table
|
||||
printf "@!%s del table web key %s\n" "${PROCESS_ID}" "${IP}" | socat stdio "$SOCKET" 2>/dev/null
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Successfully cleared $IP from the stick-table"
|
||||
else
|
||||
echo "Failed to clear $IP (may not exist in table)"
|
||||
fi
|
||||
|
||||
# Verify it's gone
|
||||
echo
|
||||
echo "Checking if IP is still in table..."
|
||||
printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/null | grep "key=$IP" > /dev/null
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Warning: IP $IP is still in the table"
|
||||
else
|
||||
echo "Confirmed: IP $IP has been removed"
|
||||
fi
|
||||
@@ -12,10 +12,14 @@ frontend web
|
||||
# Whitelist trusted networks and monitoring systems
|
||||
acl trusted_networks src 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
|
||||
acl health_check path_beg /health /ping /status /.well-known/
|
||||
acl common_missing path /favicon.ico /robots.txt /sitemap.xml /apple-touch-icon.png
|
||||
|
||||
# Allow trusted traffic to bypass all protection
|
||||
http-request allow if trusted_networks or health_check
|
||||
|
||||
# Don't count common missing files against the error count
|
||||
http-request return status 404 if common_missing
|
||||
|
||||
# Detect real client IP from proxy headers if they exist
|
||||
# Priority: CF-Connecting-IP (Cloudflare) > X-Real-IP > X-Forwarded-For > src
|
||||
acl has_cf_connecting_ip req.hdr(CF-Connecting-IP) -m found
|
||||
|
||||
Reference in New Issue
Block a user