Fix HAProxy configuration issues and add blocked backend

**Problems Fixed:**
- Remove invalid 'http-request set-status' directive (not supported in HAProxy 3.0.11)
- Replace with proper blocked backend using 'http-request return'
- Add blocked backend template for serving blocked page with 403 status

**Changes Made:**
- Create hap_blocked_backend.tpl template for blocked IPs
- Update hap_listener.tpl to use blocked-backend instead of invalid status setting
- Modify haproxy_manager.py to include blocked backend in config generation
- Add blocked_ip_page.html copying to HAProxy directory during config generation

**Technical Details:**
- HAProxy 3.0.11 doesn't support 'http-request set-status' directive
- Use 'http-request return status 403 content-type text/html file' instead
- Blocked IPs now get proper 403 status with custom HTML page
- Configuration validation should now pass without errors

**Testing:**
- HAProxy configuration validation should succeed
- Blocked IPs should see custom page with 403 status
- All existing functionality maintained

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

haproxy_manager.py

@@ -984,6 +984,20 @@ backend default-backend
     option http-server-close
     server default-page 127.0.0.1:8080'''
             config_parts.append(fallback_backend)
+        
+        # Add Blocked Backend
+        try:
+            blocked_backend = template_env.get_template('hap_blocked_backend.tpl').render()
+            config_parts.append(blocked_backend)
+        except Exception as e:
+            logger.error(f"Error generating blocked backend: {e}")
+            # Fallback to a simple blocked backend
+            fallback_blocked_backend = '''# Backend for blocked IPs
+backend blocked-backend
+    mode http
+    http-request return status 403 content-type text/html file /etc/haproxy/blocked_ip_page.html'''
+            config_parts.append(fallback_blocked_backend)
+        
         # Add Backends
         config_parts.append('\n' .join(config_backends) + '\n')
         # Write complete configuration to tmp
@@ -991,6 +1005,18 @@ backend default-backend
 
         config_content = '\n'.join(config_parts)
         logger.debug("Generated HAProxy configuration")
+        
+        # Copy blocked IP page HTML to HAProxy directory
+        try:
+            blocked_html_source = os.path.join(TEMPLATE_DIR, 'blocked_ip_page.html')
+            blocked_html_dest = '/etc/haproxy/blocked_ip_page.html'
+            if os.path.exists(blocked_html_source):
+                shutil.copy2(blocked_html_source, blocked_html_dest)
+                logger.debug("Blocked IP page HTML copied to HAProxy directory")
+            else:
+                logger.warning(f"Blocked IP page HTML not found at {blocked_html_source}")
+        except Exception as e:
+            logger.error(f"Failed to copy blocked IP page HTML: {e}")
 
         # Write complete configuration to tmp
         # Write new configuration to file

templates/hap_blocked_backend.tpl

@@ -0,0 +1,11 @@
+# Backend for blocked IPs - serves blocked page with 403 status
+backend blocked-backend
+    mode http
+    option http-server-close
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request set-header X-Forwarded-Port %[dst_port]
+    http-request set-header X-Forwarded-For %[src]
+    http-request set-header X-Real-IP %[src]
+    
+    # Return 403 Forbidden for blocked IPs
+    http-request return status 403 content-type text/html file /etc/haproxy/blocked_ip_page.html

templates/hap_listener.tpl

@@ -8,5 +8,4 @@ frontend web
     # Map file: /etc/haproxy/blocked_ips.map
     # Runtime updates: echo "add map #0 IP_ADDRESS" | socat stdio /var/run/haproxy.sock
     http-request set-path /blocked-ip if { src -f /etc/haproxy/blocked_ips.map }
-    http-request set-status 403 if { src -f /etc/haproxy/blocked_ips.map }
+    use_backend blocked-backend if { src -f /etc/haproxy/blocked_ips.map }
-    use_backend default-backend if { src -f /etc/haproxy/blocked_ips.map }