feat: support fail_closed option from caddy-blocker-plugin

New field from upstream plugin: when the real client IP is
indeterminate (trusted proxy present but no usable XFF entry),
fail_closed=true blocks the request instead of passing it through.

- Add fail_closed to GeoBlockSettings type
- Include in mergeGeoBlockSettings (OR semantics: either global or host enables it)
- Emit fail_closed in buildBlockerHandler (only when true)
- Parse geoblock_fail_closed from form in both settings and proxy-host actions
- Add Checkbox UI in the Advanced accordion of GeoBlockFields

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
fuomag9
2026-02-25 09:14:46 +01:00
parent 95455a4e8b
commit 0758e5b27a
5 changed files with 22 additions and 0 deletions

View File

@@ -6,10 +6,12 @@ import {
AccordionSummary,
Autocomplete,
Box,
Checkbox,
Chip,
CircularProgress,
Collapse,
Divider,
FormControlLabel,
Grid,
IconButton,
Stack,
@@ -468,6 +470,19 @@ export function GeoBlockFields({ initialValues, showModeSelector = true }: GeoBl
helperText="Used to parse X-Forwarded-For. Use private_ranges for all RFC-1918 ranges."
/>
<Tooltip title="When enabled, requests where the real client IP cannot be determined (e.g. behind a trusted proxy with no usable X-Forwarded-For) are blocked. Default: off (fail-open).">
<FormControlLabel
control={
<Checkbox
name="geoblock_fail_closed"
defaultChecked={initial?.fail_closed ?? false}
size="small"
/>
}
label={<Typography variant="body2">Fail closed (block indeterminate IPs)</Typography>}
/>
</Tooltip>
<Divider />
<Grid container spacing={2}>