CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files

**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing

**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback

**Technical Implementation:**

**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`

**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline

**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking

**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map

**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)

**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation

**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage

**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide

**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring

This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

IP_BLOCKING_API.md

@@ -10,7 +10,15 @@ The IP blocking feature allows administrators to:
 - View all currently blocked IP addresses
 - Track who blocked an IP and when
 
-When an IP is blocked, visitors from that IP address will see a custom "Access Denied" page instead of the requested website.
+When an IP is blocked, visitors from that IP address will receive a 403 Forbidden response.
+
+## Features
+
+- **Runtime IP blocking**: Changes take effect immediately without HAProxy restarts
+- **Map file based**: No ACL word limits, supports unlimited blocked IPs
+- **Safe configuration management**: Automatic validation and rollback on failures
+- **Runtime map synchronization**: Keep database and HAProxy runtime in sync
+- **Audit logging**: All operations are logged for monitoring and compliance
 
 ## API Endpoints
 
@@ -416,7 +424,86 @@ curl -X DELETE http://localhost:8000/api/blocked-ips \
 ## Notes
 
 - IP blocks are applied globally to all domains managed by HAProxy
-- The blocked IP page is served with HTTP 403 Forbidden status
-- Blocked IPs are persistent across HAProxy restarts (stored in database)
-- HAProxy configuration is automatically regenerated when IPs are blocked/unblocked
-- Consider implementing rate limiting on the API endpoints to prevent abuse
+- Changes take effect immediately without HAProxy restarts (runtime updates)
+- Blocked IPs are persistent across HAProxy restarts (stored in database and map file)
+- Map files support unlimited IPs (no ACL word limit restrictions)
+- Consider implementing rate limiting on the API endpoints to prevent abuse
+
+## New API Endpoints (Map File Era)
+
+### 4. Safe Configuration Reload
+
+Safely reload the HAProxy configuration with validation and automatic rollback.
+
+**Endpoint:** `POST /api/config/reload`
+
+**Response:**
+```json
+{
+    "status": "success",
+    "message": "HAProxy configuration reloaded safely"
+}
+```
+
+**Error Response:**
+```json
+{
+    "status": "error", 
+    "message": "Safe reload failed: Config validation failed: ..."
+}
+```
+
+**Example Request:**
+```bash
+curl -X POST http://localhost:8000/api/config/reload \
+  -H "Authorization: Bearer your-api-key"
+```
+
+### 5. Sync Runtime Map
+
+Synchronize blocked IPs from database to HAProxy runtime map.
+
+**Endpoint:** `POST /api/blocked-ips/sync`
+
+**Response:**
+```json
+{
+    "status": "success",
+    "message": "Synced 150/150 IPs to runtime map",
+    "total_ips": 150,
+    "synced_ips": 150
+}
+```
+
+**Example Request:**
+```bash
+curl -X POST http://localhost:8000/api/blocked-ips/sync \
+  -H "Authorization: Bearer your-api-key"
+```
+
+## Runtime Map Commands
+
+For advanced users, you can interact directly with HAProxy's runtime API:
+
+```bash
+# Add IP to runtime (immediate effect)
+echo "add map #0 192.168.1.100" | socat stdio /var/run/haproxy.sock
+
+# Remove IP from runtime
+echo "del map #0 192.168.1.100" | socat stdio /var/run/haproxy.sock
+
+# Clear all blocked IPs from runtime
+echo "clear map #0" | socat stdio /var/run/haproxy.sock
+
+# Show all runtime map entries
+echo "show map #0" | socat stdio /var/run/haproxy.sock
+```
+
+## Migration from ACL Method
+
+If you're upgrading from the old ACL-based method:
+
+1. **Automatic**: Just update the HAProxy Manager code - it will automatically migrate
+2. **Validation**: The new system includes automatic config validation and rollback
+3. **No Downtime**: Runtime updates mean no service interruptions
+4. **Scalable**: No more 64 IP limit - handle thousands of blocked IPs