Se kilde

I looked everywhere for good Apache2 or Nginx possibilities - no real luck; in generelt its was old, deprecated or just way to complications - OR part of an Enterprice (=payable) pack.

Then I fell over https://wetmore.ca/ip/ and downloaded the file.

And replaced my trusted long time friend Apache2 with HAProxy - see also: https://www.haproxy.com/documentation/haproxy-configuration-tutorials/security/traffic-policing/

My HAProxy Docker:

version: '3.4'
services:
  haproxy:
    image: haproxy
    ports:
      - 80:80
      - 443:443
    environment:
      - TZ=Europe/Copenhagen
    volumes:
      - /data/haproxy/:/usr/local/etc/haproxy:ro

A sample of my HA Proxy Config:

defaults
  timeout connect 30s
  timeout client 1m
  timeout server 1m

frontend port80
    mode http
    bind *:80
    http-request redirect scheme https unless { ssl_fc }
    default_backend confluence_backend

frontend port443
  bind *:443 ssl crt /usr/local/etc/haproxy/wildcard.mos-eisley.dk.crt
  mode http
  option forwardfor
  option http-server-close
  log global
  option httplog
  maxconn 150
  acl acl_geoloc_block src,map_ip(/usr/local/etc/haproxy/haproxy_geo_ip.txt) -m reg -i (CN|RU|IR|KP)
  http-request silent-drop if acl_geoloc_block
  acl acl_matomo hdr(host) -i matomo.mos-eisley.dk
  use_backend matomo_backend if acl_matomo
  acl acl_plex hdr(host) -i camera.mos-eisley.dk
  use_backend plex_backend if acl_plex
  acl acl_slangereden hdr(host) -i www.slangereden.dk
  http-request redirect code 301 location https://www.mos-eisley.dk/spaces/slangereden/overview if acl_slangereden
  default_backend confluence_backend

backend confluence_backend
  log global
  mode http
  balance roundrobin
  option httpchk
  http-check send meth GET uri /status
  http-check expect string RUNNING
  cookie confluence insert indirect nocache
  server confluence 77.243.53.199:8090 check cookie confluence

Blocking (a part of) IP-Addresses from CN -China, RU -Russia, IR - Iran, KP - North Korea

And a short script to update the file (via /etc/crontab):

#!/bin/bash

cd /data/haproxy
cp haproxy_geo_ip.txt haproxy_geo_ip.txt.1
cd /data/haproxy/tmp
rm haproxy_geo_ip.txt
wget https://wetmore.ca/ip/haproxy_geo_ip.txt

if [ $? -eq 0 ]
then

  if [ -s haproxy_geo_ip.txt ]
  then

    cp haproxy_geo_ip.txt /data/haproxy

  fi

fi

The if's check if wget exited ok - got a file and if the filesize is not 0 (zero)