[SWAG Auto-proxy] Add support for geoblocking

[LarsCelie]

The current dbip or maxmind mods for swag allow geoblocking support by adding explicit lines in application's individual config file.

When using auto proxy, the user does not have individual config files.

Suggestion:
Add a new label swag_geoblock with possible values: none; allow; deny (or whitelist; blacklist) to automatically include the relevant snippets for blocking based on the dbip or maxmind mods.

[aptalca]

I'm not familiar with either geoblocking option so I O can't say whether it would be feasible or not. But if you flesh out your suggestion more, with specific flag options and how the confs would be sed'ed, I'll have a better idea on whether it can be feasibly standardized.

[LarsCelie]

Installing the dbip mod is quite simple;

• install the mod via de DOCKER_MODS environment variable for SWAG
• edit the dbip.conf to block specific countries, and add this to nginx.conf
• add deny or allow blocks to the specific application's config file

Considering the following authelia configuration with geoblocking:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name authelia.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;

    if ($lan-ip = yes) { set $geo-whitelist yes; } #Check for a LAN IP
    if ($geo-whitelist = no) { return 404; } #Check the country filter

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app authelia;
        set $upstream_port 9091;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Geoblocking with value 'whitelist' would mean adding the following lines automatically:

    if ($lan-ip = yes) { set $geo-whitelist yes; } #Check for a LAN IP
    if ($geo-whitelist = no) { return 404; } #Check the country filter

while geoblocking with the value 'blacklist' would mean adding:

   if ($geo-blacklist = no) { return 404; }

the value of 'none' would simply not do anything, so does not need to be an option

since the dbip.conf already takes care of geoblocking configuration, the snippets won't change and can be statically applied.

Information gathered from https://virtualize.link/secure/#geoblock

[LarsCelie]

edited previous comments.

[LarsCelie]

Or alternatively, add support for adding anything generic. That way it would be the user's responsibility to make sure it works.

For instance, given that the user created a config file blacklist.conf and internal.conf.
Add a label swag_server_extra with value include /config/nginx/blacklist.conf to enable a blacklist config in the server block
or a label swag_location_extra with value of include /config/nginx/internal.conf to include the internal config in the location block

Then this dockermod simply puts the lines in and done.

[JiggsNephron]

To work around this currently not being supported, I added the lines

if ($lan-ip = yes) { set $geo-whitelist yes; } #Check for a LAN IP
if ($geo-whitelist = no) { return 404; } #Check the country filter

to ssl.conf, which is included by all the pre-made confs.

[aptalca]

#778