99435ee3e0
Fix HAProxy 3.0 compatibility issues in tarpit configuration
...
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 50s
- Remove gpc2 from stick-table (not supported in HAProxy 3.0)
- Fix ACL syntax: Change sc_get_gpc0(0) to sc0_get_gpc0
- Fix ACL syntax: Change sc_http_err_rate(0,period) to sc0_http_err_rate(period)
- Fix ACL syntax: Change sc_get_gpc1(0) to sc0_get_gpc1
- Reorder rules to place http-request rules before use_backend rules
- Remove duplicate gpc2 increment rule
These changes ensure compatibility with HAProxy 3.0.11 while maintaining
the tarpit escalation functionality for exploit scanning protection.
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-08-23 18:30:34 -07:00
7869b81f27
CRITICAL FIX: Migrate HAProxy IP blocking from ACL to map files
...
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s
**Problem Solved:**
- HAProxy ACL 64-word limit caused config parsing failures
- "too many words, truncating after word 64" error
- Complete service outage when >64 IPs were blocked
- Error: "no such ACL : 'is_blocked'" broke all traffic routing
**Solution: HAProxy Map Files (v1.6+)**
- ✅ Unlimited IP addresses (no word limits)
- ✅ Runtime updates without config reloads
- ✅ Better performance (hash table vs linear search)
- ✅ Safer config management with validation & rollback
**Technical Implementation:**
**Map File Integration:**
- `/etc/haproxy/blocked_ips.map` stores all blocked IPs
- `http-request deny status 403 if { src -f /etc/haproxy/blocked_ips.map }`
- Runtime updates: `echo "add map #0 IP" | socat stdio /var/run/haproxy.sock`
**Safety Features Added:**
- `create_backup()` - Automatic config/map backups before changes
- `validate_haproxy_config()` - Config validation before applying
- `restore_backup()` - Automatic rollback on failures
- `reload_haproxy_safely()` - Safe reload with validation pipeline
**Runtime Management:**
- `update_blocked_ips_map()` - Sync database to map file
- `add_ip_to_runtime_map()` - Immediate IP blocking without reload
- `remove_ip_from_runtime_map()` - Immediate IP unblocking
**New API Endpoints:**
- `POST /api/config/reload` - Safe config reload with rollback
- `POST /api/blocked-ips/sync` - Sync database to runtime map
**Template Changes:**
- Replaced ACL method: `acl is_blocked src IP1 IP2...` (64 limit)
- With map method: `http-request deny if { src -f blocked_ips.map }` (unlimited)
**Backwards Compatibility:**
- Existing API endpoints unchanged (GET/POST/DELETE /api/blocked-ips)
- Database schema unchanged
- Automatic migration on first config generation
**Performance Improvements:**
- O(1) hash table lookups vs O(n) linear ACL search
- No config reloads needed for IP changes
- Supports millions of IPs if needed
- Memory efficient external file storage
**Documentation:**
- Complete migration guide in MIGRATION_GUIDE.md
- Updated API documentation with new endpoints
- Runtime management examples
- Troubleshooting guide
**Production Safety:**
- All changes include automatic backup/restore
- Config validation prevents bad deployments
- Runtime updates avoid service interruption
- Comprehensive error logging and monitoring
This fixes the critical production outage caused by ACL word limits
while providing a more scalable and performant IP blocking solution.
🤖 Generated with [Claude Code](https://claude.ai/code )
Co-Authored-By: Claude <noreply@anthropic.com >
2025-08-22 08:31:17 -07:00
fac6cef0db
Fix HAProxy 2.6 compatibility for default backend
...
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 37s
- Replace http-response set-body (HAProxy 2.8+) with local server approach
- Add separate Flask server on port 8080 to serve default page
- Update default backend template to use local server instead of inline HTML
- Maintain all customization features via environment variables
- Fix JavaScript error handling for domains API response
2025-07-11 19:27:42 -07:00
