P2-10 — GeoIP-based traffic filtering

[bihius]

Summary

Add country-level GeoIP filtering so administrators can allow or block traffic based on the visitor's geographic location.

Motivation

Blocking or restricting access by country is a common requirement for compliance, abuse mitigation, and regional licensing. HAProxy can enforce this natively via Lua or via a MaxMind database lookup, keeping the decision at the edge before any request reaches upstream services.

Proposed scope

GeoIP database

• Integrate MaxMind GeoLite2-Country (free, MMDB format).
• Download and refresh the database on a configurable schedule (e.g. weekly cron).
• Store the database file outside the repository (runtime artifact).

HAProxy integration

• Use haproxy-lua-http or the native stick-table + MMDB reader to resolve src → country code.
• Support two modes per rule:
  • Allowlist — only listed country codes may pass; all others receive 403.
  • Blocklist — listed country codes are blocked; all others pass.

Admin UI & API

• Country code selector on proxy rule creation/edit screen.
• API endpoints to set/clear the GeoIP policy for a rule.

Fallback behaviour

• If the database is absent or the IP cannot be resolved, fail open (allow) by default with a log warning. Document this choice; make it configurable for strict environments.

Out of scope

• City/ASN-level filtering
• IPv6 coverage beyond what GeoLite2 provides out of the box

Acceptance criteria

• GeoIP database is downloaded and refreshed automatically
• HAProxy config generator emits correct ACL/map rules for allowlist and blocklist modes
• Admin can configure GeoIP policy per proxy rule in the UI
• haproxy -c passes on generated config
• Unit tests cover config generation for both modes
• Integration tests cover API endpoints for GeoIP policy management