Introduce an ACL for blocking on tcp layer

[hoffmaen]

TCP-Level CIDR Blocking

Introduces a new property ha_proxy.cidr_blocklist_tcp that enables blocking client connections at the TCP layer, before TLS negotiation occurs.

Implementation

• Property: ha_proxy.cidr_blocklist_tcp (optional array of CIDRs or base64-encoded gzipped string)
• Configuration File: /var/vcap/jobs/haproxy/config/blocklist_cidrs_tcp.txt
• Behavior: CIDRs in the blocklist are rejected immediately after TCP connection establishment
• Dynamic Updates: CIDRs can be added or removed on-the-fly via the HAProxy socket without reloading:

  # Add CIDR to blocklist
  echo 'add acl /var/vcap/jobs/haproxy/config/blocklist_cidrs_tcp.txt 10.0.1.1/24' | socat - /var/vcap/sys/run/haproxy/stats.sock
  
  # Remove CIDR from blocklist
  echo 'del acl /var/vcap/jobs/haproxy/config/blocklist_cidrs_tcp.txt 10.0.1.1/24' | socat - /var/vcap/sys/run/haproxy/stats.sock

Connection Flow for Blocked Clients

For HTTPS connections:

1. Client establishes TCP connection to HAProxy
2. Client initiates TLS handshake (Client Hello)
3. HAProxy terminates connection (TCP FIN)

This approach blocks clients before the expensive TLS handshake completes, improving performance and reducing resource consumption.

Limitations

• No logging available for connections rejected at this stage
• The ACL and rejection rule are always present in the HAProxy configuration, even when the blocklist is empty