From 0a09bcb35532a9cbdf9a5ae0bd5640bb68f1bb11 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Apr 08 2024 19:57:20 +0000
Subject: Enable network blacklist on Atlas http frontends


The regular "http" frontend uses a network blacklist file.
- adjust http-misc frontend to use the same blacklist file instead
  of custom IP addresses
- adjust http-login frontend to use the same blacklist file, but
  utilizing the X-Forwarded-For header passed from the login proxy

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

---

diff --git a/pillar/cluster/atlas/init.sls b/pillar/cluster/atlas/init.sls
index 877ae4f..697f26a 100644
--- a/pillar/cluster/atlas/init.sls
+++ b/pillar/cluster/atlas/init.sls
@@ -58,6 +58,9 @@ haproxy:
     http-login:
       bind:
         {{ bind(bind_v6_login[host], 443, 'v6only tfo alpn h2,http/1.1 npn h2,http/1.1 ssl crt /etc/ssl/services/') }}
+      httprequests:
+        - deny:
+          - deny_status 429 if annoying_clients
 
     http-misc:
       bind:
diff --git a/pillar/cluster/atlas/services.sls b/pillar/cluster/atlas/services.sls
index 47726fb..b046e24 100644
--- a/pillar/cluster/atlas/services.sls
+++ b/pillar/cluster/atlas/services.sls
@@ -209,6 +209,7 @@ haproxy:
     http-login:
       acls:                              # daffy1              # daffy2
         - src_login         src          2a07:de40:b280:86::11 2a07:de40:b280:86::12
+        - annoying_clients  req.hdr_ip(X-Forwarded-For) -f /etc/haproxy/blacklists/networks -n
 
         - host_dale         hdr(host)    events.opensuse.org
         - host_dale         hdr(host)    events-test.opensuse.org
@@ -233,7 +234,7 @@ haproxy:
 
     http-misc:
       acls:
-        - annoying_clients src 47.128.0.0/14  # Amazon EC2
+        - annoying_clients src -f /etc/haproxy/blacklists/networks -n
         - is_ssl          dst_port    443
 
         {%- for host_pagure in ['code', 'pages', 'ev', 'releases'] %}