From 608f9f95201b0dd6e715485ab3416ffdc42f617b Mon Sep 17 00:00:00 2001
From: Christian Boltz <cboltz@opensuse.org>
Date: Apr 08 2024 20:07:26 +0000
Subject: Merge branch 'crameleon/atlas-ban' into 'production'


Enable network blacklist on Atlas http frontends

See merge request infra/salt!1683
---

diff --git a/pillar/cluster/atlas/init.sls b/pillar/cluster/atlas/init.sls
index 877ae4f..697f26a 100644
--- a/pillar/cluster/atlas/init.sls
+++ b/pillar/cluster/atlas/init.sls
@@ -58,6 +58,9 @@ haproxy:
     http-login:
       bind:
         {{ bind(bind_v6_login[host], 443, 'v6only tfo alpn h2,http/1.1 npn h2,http/1.1 ssl crt /etc/ssl/services/') }}
+      httprequests:
+        - deny:
+          - deny_status 429 if annoying_clients
 
     http-misc:
       bind:
diff --git a/pillar/cluster/atlas/services.sls b/pillar/cluster/atlas/services.sls
index 47726fb..b046e24 100644
--- a/pillar/cluster/atlas/services.sls
+++ b/pillar/cluster/atlas/services.sls
@@ -209,6 +209,7 @@ haproxy:
     http-login:
       acls:                              # daffy1              # daffy2
         - src_login         src          2a07:de40:b280:86::11 2a07:de40:b280:86::12
+        - annoying_clients  req.hdr_ip(X-Forwarded-For) -f /etc/haproxy/blacklists/networks -n
 
         - host_dale         hdr(host)    events.opensuse.org
         - host_dale         hdr(host)    events-test.opensuse.org
@@ -233,7 +234,7 @@ haproxy:
 
     http-misc:
       acls:
-        - annoying_clients src 47.128.0.0/14  # Amazon EC2
+        - annoying_clients src -f /etc/haproxy/blacklists/networks -n
         - is_ssl          dst_port    443
 
         {%- for host_pagure in ['code', 'pages', 'ev', 'releases'] %}