From d5a36910d2f146902aef59a0e22980a29360d53a Mon Sep 17 00:00:00 2001
From: jknapp <jknapp85@gmail.com>
Date: Fri, 22 Aug 2025 09:11:10 -0700
Subject: [PATCH] Fix HAProxy configuration issues and add blocked backend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**Problems Fixed:**
- Remove invalid 'http-request set-status' directive (not supported in HAProxy 3.0.11)
- Replace with proper blocked backend using 'http-request return'
- Add blocked backend template for serving blocked page with 403 status

**Changes Made:**
- Create hap_blocked_backend.tpl template for blocked IPs
- Update hap_listener.tpl to use blocked-backend instead of invalid status setting
- Modify haproxy_manager.py to include blocked backend in config generation
- Add blocked_ip_page.html copying to HAProxy directory during config generation

**Technical Details:**
- HAProxy 3.0.11 doesn't support 'http-request set-status' directive
- Use 'http-request return status 403 content-type text/html file' instead
- Blocked IPs now get proper 403 status with custom HTML page
- Configuration validation should now pass without errors

**Testing:**
- HAProxy configuration validation should succeed
- Blocked IPs should see custom page with 403 status
- All existing functionality maintained

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 haproxy_manager.py                | 26 ++++++++++++++++++++++++++
 templates/hap_blocked_backend.tpl | 11 +++++++++++
 templates/hap_listener.tpl        |  3 +--
 3 files changed, 38 insertions(+), 2 deletions(-)
 create mode 100644 templates/hap_blocked_backend.tpl

diff --git a/haproxy_manager.py b/haproxy_manager.py
index 4cb5f65..8b5ee2e 100644
--- a/haproxy_manager.py
+++ b/haproxy_manager.py
@@ -984,6 +984,20 @@ backend default-backend
     option http-server-close
     server default-page 127.0.0.1:8080'''
             config_parts.append(fallback_backend)
+        
+        # Add Blocked Backend
+        try:
+            blocked_backend = template_env.get_template('hap_blocked_backend.tpl').render()
+            config_parts.append(blocked_backend)
+        except Exception as e:
+            logger.error(f"Error generating blocked backend: {e}")
+            # Fallback to a simple blocked backend
+            fallback_blocked_backend = '''# Backend for blocked IPs
+backend blocked-backend
+    mode http
+    http-request return status 403 content-type text/html file /etc/haproxy/blocked_ip_page.html'''
+            config_parts.append(fallback_blocked_backend)
+        
         # Add Backends
         config_parts.append('\n' .join(config_backends) + '\n')
         # Write complete configuration to tmp
@@ -991,6 +1005,18 @@ backend default-backend
 
         config_content = '\n'.join(config_parts)
         logger.debug("Generated HAProxy configuration")
+        
+        # Copy blocked IP page HTML to HAProxy directory
+        try:
+            blocked_html_source = os.path.join(TEMPLATE_DIR, 'blocked_ip_page.html')
+            blocked_html_dest = '/etc/haproxy/blocked_ip_page.html'
+            if os.path.exists(blocked_html_source):
+                shutil.copy2(blocked_html_source, blocked_html_dest)
+                logger.debug("Blocked IP page HTML copied to HAProxy directory")
+            else:
+                logger.warning(f"Blocked IP page HTML not found at {blocked_html_source}")
+        except Exception as e:
+            logger.error(f"Failed to copy blocked IP page HTML: {e}")
 
         # Write complete configuration to tmp
         # Write new configuration to file
diff --git a/templates/hap_blocked_backend.tpl b/templates/hap_blocked_backend.tpl
new file mode 100644
index 0000000..382bd97
--- /dev/null
+++ b/templates/hap_blocked_backend.tpl
@@ -0,0 +1,11 @@
+# Backend for blocked IPs - serves blocked page with 403 status
+backend blocked-backend
+    mode http
+    option http-server-close
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request set-header X-Forwarded-For %[src]
+    http-request set-header X-Real-IP %[src]
+    
+    # Return 403 Forbidden for blocked IPs
+    http-request return status 403 content-type text/html file /etc/haproxy/blocked_ip_page.html
\ No newline at end of file
diff --git a/templates/hap_listener.tpl b/templates/hap_listener.tpl
index 1276a04..61c2b3e 100644
--- a/templates/hap_listener.tpl
+++ b/templates/hap_listener.tpl
@@ -8,5 +8,4 @@ frontend web
     # Map file: /etc/haproxy/blocked_ips.map
     # Runtime updates: echo "add map #0 IP_ADDRESS" | socat stdio /var/run/haproxy.sock
     http-request set-path /blocked-ip if { src -f /etc/haproxy/blocked_ips.map }
-    http-request set-status 403 if { src -f /etc/haproxy/blocked_ips.map }
-    use_backend default-backend if { src -f /etc/haproxy/blocked_ips.map }
+    use_backend blocked-backend if { src -f /etc/haproxy/blocked_ips.map }