cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CIDR notation support for IP blocking
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 2m1s
Details

Browse Source 
- Update map file format to include value (IP/CIDR 1)
- Fix HAProxy template to use map_ip() for CIDR support
- Update runtime map commands to include value
- Document CIDR range blocking in API documentation
- Support blocking entire network ranges (e.g., 192.168.1.0/24)

This allows blocking compromised ISP ranges and other large-scale attacks.
This commit is contained in:
Josh Knapp
2025-11-17 12:07:32 -08:00
parent 8d732318b4
commit 71f4b9ef05
3 changed files with 50 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
templates/hap_listener.tpl
View File

@@ -17,8 +17,10 @@ frontend web
http-request set-var(txn.real_ip) src if !has_cf_connecting_ip !has_x_real_ip !has_x_forwarded_for
# IP blocking using map file (manual blocks only)
# Map file: /etc/haproxy/blocked_ips.map
# Runtime updates: echo "add map #0 IP_ADDRESS" | socat stdio /var/run/haproxy.sock
# Map file format: /etc/haproxy/blocked_ips.map contains "<ip_or_cidr> 1" per line
# Runtime updates: echo "add map #0 IP_ADDRESS 1" | socat stdio /var/run/haproxy.sock
# Checks the real client IP (from headers if present, otherwise src)
http-request set-path /blocked-ip if { var(txn.real_ip) -m ip -f /etc/haproxy/blocked_ips.map }
use_backend default-backend if { var(txn.real_ip) -m ip -f /etc/haproxy/blocked_ips.map }
# map_ip() converter supports both single IPs and CIDR ranges (e.g., 192.168.1.0/24)
acl is_blocked_ip var(txn.real_ip),map_ip(/etc/haproxy/blocked_ips.map,0) -m int gt 0
http-request set-path /blocked-ip if is_blocked_ip
use_backend default-backend if is_blocked_ip