cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add safeguards to prevent false positive blocking
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Details

Browse Source 
- Handle common missing files (favicon.ico, robots.txt) without counting as errors
- Return 404 directly from frontend for these files (bypasses backend counting)
- Add clear-ip.sh script to remove specific IPs from stick-table
- Keep trusted networks whitelist for local/private IPs

This prevents legitimate users from being blocked due to browser
requests for common files that don't exist.

Usage: ./scripts/clear-ip.sh <IP_ADDRESS>

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-08-25 11:09:57 -07:00
parent e54b4b4afe
commit 6a4379c4a1
2 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
scripts/clear-ip.sh Executable file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
# Script to clear a specific IP from HAProxy stick-table
# Usage: ./clear-ip.sh <IP_ADDRESS>
if [ $# -ne 1 ]; then
echo "Usage: $0 <IP_ADDRESS>"
echo "Example: $0 192.168.1.100"
exit 1
fi
IP="$1"
SOCKET="/tmp/haproxy-cli"
# Check if socket exists
if [ ! -S "$SOCKET" ]; then
echo "Error: HAProxy socket not found at $SOCKET"
exit 1
fi
# Get worker process ID
PROCESS_ID=$(echo "show proc" | socat stdio "$SOCKET" 2>/dev/null | grep -E '^[0-9]+.*worker' | awk '{print $1}' | head -1)
if [ -z "$PROCESS_ID" ]; then
echo "Error: Could not find HAProxy worker process"
exit 1
fi
echo "Clearing IP $IP from stick-table..."
# Clear the IP from the table
printf "@!%s del table web key %s\n" "${PROCESS_ID}" "${IP}" | socat stdio "$SOCKET" 2>/dev/null
if [ $? -eq 0 ]; then
echo "Successfully cleared $IP from the stick-table"
else
echo "Failed to clear $IP (may not exist in table)"
fi
# Verify it's gone
echo
echo "Checking if IP is still in table..."
printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/null | grep "key=$IP" > /dev/null
if [ $? -eq 0 ]; then
echo "Warning: IP $IP is still in the table"
else
echo "Confirmed: IP $IP has been removed"
fi

4
templates/hap_listener.tpl
View File

@@ -12,10 +12,14 @@ frontend web
# Whitelist trusted networks and monitoring systems # Whitelist trusted networks and monitoring systems
acl trusted_networks src 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 acl trusted_networks src 127.0.0.1 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
acl health_check path_beg /health /ping /status /.well-known/ acl health_check path_beg /health /ping /status /.well-known/
acl common_missing path /favicon.ico /robots.txt /sitemap.xml /apple-touch-icon.png
# Allow trusted traffic to bypass all protection # Allow trusted traffic to bypass all protection
http-request allow if trusted_networks or health_check http-request allow if trusted_networks or health_check
# Don't count common missing files against the error count
http-request return status 404 if common_missing
# Detect real client IP from proxy headers if they exist # Detect real client IP from proxy headers if they exist
# Priority: CF-Connecting-IP (Cloudflare) > X-Real-IP > X-Forwarded-For > src # Priority: CF-Connecting-IP (Cloudflare) > X-Real-IP > X-Forwarded-For > src
acl has_cf_connecting_ip req.hdr(CF-Connecting-IP) -m found acl has_cf_connecting_ip req.hdr(CF-Connecting-IP) -m found