infrastructure/caddy-opnsense-blocker
2
Fork 0
Code Issues Activity

Add on-demand IP investigation and richer IP details

Browse Source
This commit is contained in:
Codex, agent ChatGPT
2026-03-12 01:53:44 +01:00
parent 33dd9bac76
commit c5e1c4ff36
13 changed files with 1561 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@@ -7,8 +7,9 @@
- Real-time ingestion of multiple Caddy JSON log files.
- One heuristic profile per log source.
- Persistent local state in SQLite.
- Local-only web UI for reviewing events and IPs.
- Manual block, unblock, and override reset actions.
- Local-only web UI for reviewing events, IPs, and the full request history of a selected address.
- On-demand IP investigation with persistent caching for bot verification, reverse DNS, RDAP, and Spamhaus lookups.
- Manual block, unblock, and clear-override actions with OPNsense-aware UI state.
- OPNsense alias backend with automatic alias creation.
- Concurrent polling across multiple log files.
@@ -24,12 +25,13 @@ The decision engine is deliberately simple and deterministic for now:
- excluded CIDR ranges
- manual overrides
This keeps the application usable immediately while leaving room for a more advanced network-intelligence engine later.
This keeps the application usable immediately while leaving room for a more advanced policy engine later.
## Architecture
- `internal/caddylog`: parses default Caddy JSON access logs
- `internal/engine`: evaluates requests against a profile
- `internal/investigation`: performs on-demand bot verification and IP enrichment
- `internal/store`: persists events, IP state, manual decisions, backend actions, and source offsets
- `internal/opnsense`: manages the target OPNsense alias through its API
- `internal/service`: runs concurrent log followers and applies automatic decisions
@@ -60,6 +62,7 @@ Important points:
- Each source points to one Caddy log file.
- Each source references exactly one profile.
- `initial_position: end` means “start following new lines only” on first boot.
- The `investigation` section controls how long IP enrichment is cached and whether on-demand Spamhaus lookups are enabled.
- The web UI should stay bound to a local address such as `127.0.0.1:9080`.
## Web UI and API
@@ -72,9 +75,12 @@ It refreshes through lightweight JSON polling and exposes these endpoints:
- `GET /api/events`
- `GET /api/ips`
- `GET /api/ips/{ip}`
- `POST /api/ips/{ip}/investigate`
- `POST /api/ips/{ip}/block`
- `POST /api/ips/{ip}/unblock`
- `POST /api/ips/{ip}/reset`
- `POST /api/ips/{ip}/clear-override`
The legacy `POST /api/ips/{ip}/reset` endpoint is still accepted as a backwards-compatible alias for `clear-override`.
## Development
@@ -147,7 +153,7 @@ Use the NixOS module from another configuration:
## Roadmap
- richer decision engine
- asynchronous DNS / RDAP / ASN enrichment
- optional GeoIP and ASN providers beyond RDAP
- richer review filters in the UI
- alternative blocking backends besides OPNsense
- direct streaming ingestion targets in addition to file polling