feat: implement geoblocking

vegaprotocol · Nov 15, 2024 · ea84f30 · ea84f30
1 parent 68e7bc4
commit ea84f30
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 3 deletions.
diff --git a/roles/vega_caddy_server/README.md b/roles/vega_caddy_server/README.md
@@ -0,0 +1 @@
+# Vega Caddy Server ansible role
diff --git a/roles/vega_caddy_server/defaults/main.yaml b/roles/vega_caddy_server/defaults/main.yaml
@@ -28,3 +28,7 @@ vega_caddy_server_api_lb_upstreams: []
 vega_caddy_server_with_block_explorer_lb: false
 vega_caddy_server_block_explorer_lb_domains: []
 vega_caddy_server_block_explorer_lb_upstreams: []
+
+# Space separated list of countries e.g: "PA PL UK US"
+vega_caddy_server_geoblocking_enabled: false
+vega_caddy_server_geoblocking_countries: "UK PA"
diff --git a/roles/vega_caddy_server/tasks/install-caddy.yaml b/roles/vega_caddy_server/tasks/install-caddy.yaml
@@ -62,7 +62,7 @@
     xcaddy build {{ vega_caddy_server_caddy_version }} \
       --output /usr/bin/caddy \
       --with github.com/caddyserver/replace-response \
-      --with github.com/shift72/caddy
+      --with github.com/shift72/caddy-geo-ip
   when: (caddy_version.rc != 0) or (not vega_caddy_server_caddy_version in caddy_version.stdout)
   changed_when: (caddy_version.rc != 0) or (not vega_caddy_server_caddy_version in caddy_version.stdout)
   notify: "Restart caddy"

diff --git a/roles/vega_caddy_server/templates/etc/caddy/Caddyfile.j2 b/roles/vega_caddy_server/templates/etc/caddy/Caddyfile.j2
@@ -10,6 +10,7 @@
         servers {
                 metrics
         }
+        order geo_ip first
 }
 
 (cors) {
@@ -29,6 +30,24 @@
         header @origin Vary Origin
 }
 
-
+(geoblocking) {
+  geo_ip {
+    reload_frequency 3h
+    db_path /etc/caddy/GeoLite2-Country.mmdb
+    trust_header X-Real-IP
+  }
+
+   @blockedCountries {
+     maxmind_geolocation {
+        db_path /etc/caddy/GeoLite2-Country.mmdb
+        # We have allow countries because We want to return static pages to the following countries
+        allow_countries {{ vega_caddy_server_geoblocking_countries }}
+     }
+  }
+
+   handle @blockedCountries {
+    respond "Sorry, page not available in this country \{geoip.country_code\} {http.request.remote.host} !!!" 401
+  }
+}
 
 import /etc/caddy/sites/*.caddy
diff --git a/roles/vega_caddy_server/templates/etc/caddy/sites/governance-ui.caddy.j2 b/roles/vega_caddy_server/templates/etc/caddy/sites/governance-ui.caddy.j2
@@ -2,6 +2,10 @@
     root * /var/www/governance
     encode gzip
 
+    {% if vega_caddy_server_geoblocking_enabled|default(false) %}
+    import geoblocking
+    {% endif %}
+
     file_server {
         hide .git
         index index.html

diff --git a/roles/vega_caddy_server/templates/etc/caddy/sites/trading-ui.caddy.j2 b/roles/vega_caddy_server/templates/etc/caddy/sites/trading-ui.caddy.j2
@@ -2,6 +2,10 @@
     root * /var/www/trading
     encode gzip
 
+    {% if vega_caddy_server_geoblocking_enabled|default(false) %}
+    import geoblocking
+    {% endif %}
+
     file_server {
         hide .git
         index index.html
@@ -12,7 +16,6 @@
         import cors *
     }
 
-
     handle_errors {
         rewrite * /index.html
         file_server