Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Geoblocking #28

Merged
merged 4 commits into from
Nov 15, 2024
Merged

Geoblocking #28

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fc67a8f
feat: implement geoblocking
ehh-why-its-so-hard Nov 15, 2024
8a686a3
feat: add geolitle2 country maxmind db
ehh-why-its-so-hard Nov 15, 2024
963909c
feat: move maxmind db to files instead of tmpl in caddy role
ehh-why-its-so-hard Nov 15, 2024
37b061b
fix: ansible linting
ehh-why-its-so-hard Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions roles/vega_caddy_server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# Vega Caddy Server ansible role
10 changes: 7 additions & 3 deletions roles/vega_caddy_server/defaults/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
---
vega_caddy_server_caddyfile_file_name: ""
vega_caddy_server_node_home: "/home/vega"

vega_caddy_server_enforce_rebuild: false
vega_caddy_server_xcaddy_version: 0.4.2
vega_caddy_server_caddy_version: v2.8.4

Expand All @@ -28,3 +26,9 @@ vega_caddy_server_api_lb_upstreams: []
vega_caddy_server_with_block_explorer_lb: false
vega_caddy_server_block_explorer_lb_domains: []
vega_caddy_server_block_explorer_lb_upstreams: []

# Space separated list of countries e.g: "PA PL GB US"
# for more information see ISO-3166 alpha2 at
# http://www.geonames.org/countries/
vega_caddy_server_geoblocking_enabled: false
vega_caddy_server_geoblocking_countries: "GB PA"
Binary file added roles/vega_caddy_server/files/etc/caddy/GeoLite2-Country.mmdb
View file
Open in desktop
Binary file not shown.
5 changes: 3 additions & 2 deletions roles/vega_caddy_server/tasks/install-caddy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,8 +62,9 @@
xcaddy build {{ vega_caddy_server_caddy_version }} \
--output /usr/bin/caddy \
--with github.com/caddyserver/replace-response \
--with github.com/shift72/caddy
when: (caddy_version.rc != 0) or (not vega_caddy_server_caddy_version in caddy_version.stdout)
--with github.com/porech/caddy-maxmind-geolocation \
--with github.com/shift72/caddy-geo-ip
when: (caddy_version.rc != 0) or (not vega_caddy_server_caddy_version in caddy_version.stdout or vega_caddy_server_enforce_rebuild)
changed_when: (caddy_version.rc != 0) or (not vega_caddy_server_caddy_version in caddy_version.stdout)
notify: "Restart caddy"

Expand Down
13 changes: 13 additions & 0 deletions roles/vega_caddy_server/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,16 @@
mode: "0644"
when: vega_caddy_server_with_block_explorer_lb and vega_caddy_server_block_explorer_lb_domains | length > 0
notify: "Restart caddy"

- name: Copy the Maxmind database
ansible.builtin.copy:
src: "etc/caddy/GeoLite2-Country.mmdb"
dest: "/etc/caddy/GeoLite2-Country.mmdb"
owner: "caddy"
group: "caddy"
mode: "0644"
notify: "Restart caddy"
diff: false
args:
# database is managed by external process, do not overwrite it with default one
creates: "/etc/caddy/GeoLite2-Country.mmdb"
21 changes: 20 additions & 1 deletion roles/vega_caddy_server/templates/etc/caddy/Caddyfile.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
servers {
metrics
}
order geo_ip first
}

(cors) {
Expand All @@ -29,6 +30,24 @@
header @origin Vary Origin
}


(geoblocking) {
geo_ip {
reload_frequency 3h
db_path /etc/caddy/GeoLite2-Country.mmdb
trust_header X-Real-IP
}

@blockedCountries {
maxmind_geolocation {
db_path /etc/caddy/GeoLite2-Country.mmdb
# We have allow countries because We want to return static pages to the following countries
allow_countries {{ vega_caddy_server_geoblocking_countries }}
}
}

handle @blockedCountries {
respond "Sorry, page not available in this country \{geoip.country_code\} {http.request.remote.host} !!!" 401
}
}

import /etc/caddy/sites/*.caddy
4 changes: 4 additions & 0 deletions roles/vega_caddy_server/templates/etc/caddy/sites/governance-ui.caddy.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
root * /var/www/governance
encode gzip

{% if vega_caddy_server_geoblocking_enabled|default(false) %}
import geoblocking
{% endif %}

file_server {
hide .git
index index.html
Expand Down
5 changes: 4 additions & 1 deletion roles/vega_caddy_server/templates/etc/caddy/sites/trading-ui.caddy.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@
root * /var/www/trading
encode gzip

{% if vega_caddy_server_geoblocking_enabled|default(false) %}
import geoblocking
{% endif %}

file_server {
hide .git
index index.html
Expand All @@ -12,7 +16,6 @@
import cors *
}


handle_errors {
rewrite * /index.html
file_server
Expand Down