From 6031ddc028a3405d22568bd12d28fd77cd45369b Mon Sep 17 00:00:00 2001
From: genofire <geno+ccc@fireorbit.de>
Date: Sat, 3 Oct 2020 04:00:30 +0200
Subject: [PATCH] Apply a 16 or 56 bit mask to source IP addresses

---
 roles/haproxy/templates/http.cfg.j2 | 2 ++
 roles/haproxy/templates/sni.cfg.j2  | 1 +
 2 files changed, 3 insertions(+)

diff --git a/roles/haproxy/templates/http.cfg.j2 b/roles/haproxy/templates/http.cfg.j2
index 577e74a..7032bad 100644
--- a/roles/haproxy/templates/http.cfg.j2
+++ b/roles/haproxy/templates/http.cfg.j2
@@ -2,5 +2,7 @@ frontend http
         log             global
         bind            ${BIND_V4}:80
         bind            ${BIND_V6}:80
+	http-request	set-src src,ipmask(16,56)
+
         use_backend     %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)]
 
diff --git a/roles/haproxy/templates/sni.cfg.j2 b/roles/haproxy/templates/sni.cfg.j2
index 7ce4dc1..19afc23 100644
--- a/roles/haproxy/templates/sni.cfg.j2
+++ b/roles/haproxy/templates/sni.cfg.j2
@@ -3,6 +3,7 @@ frontend sni
 	mode		tcp
 	option		tcplog
 	tcp-request	inspect-delay 5s
+	tcp-request	connection set-src src,ipmask(16,56)
 	tcp-request	content accept if { req_ssl_hello_type 1 }
 
         bind            ${BIND_V4}:443