{"host": "cp1100.eqiad.wmnet", "state": "core_diff", "description": "Differences to core resources", "diff": {"full": {"total": 4028, "only_in_self": [], "only_in_other": ["File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "File[/usr/share/CIDERGRINDER]", "Package[lua5.4-ciderbloom]"], "resource_diffs": [{"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "content": "--- /etc/haproxy/lua/cidergrinder_mmdb.lua.orig\n+++ /etc/haproxy/lua/cidergrinder_mmdb.lua\n@@ -0,0 +1,51 @@\n+-- MMDB file lookup action for HAProxy\n+-- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER\n+-- SPDX-License-Identifier: GPL-3.0-or-later\n+-- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation\n+\n+local maxminddb = require(\"maxminddb\")\n+\n+local args = table.pack(...)\n+\n+local cider_mmdb = nil\n+\n+-- lua-load-per-thread mmdb_action.lua /path/to/file.mmdb\n+core.register_init(function()\n+    if #args < 1 then\n+        core.Alert(\"MMDB file name not provided\")\n+        return\n+    end\n+\n+    local fname = args[1]\n+    local err\n+    -- TODO: this seems to throw an error from the C library instead of returning nil + error string.\n+    --       we should pcall instead?\n+    cider_mmdb, err = maxminddb.open(fname)\n+    if not cider_mmdb then\n+        core.Alert(\"Failed to load MMDB file: \" .. tostring(err))\n+        return\n+    end\n+\n+    core.Info(\"Successfully loaded MMDB file: \" .. fname)\n+end)\n+\n+-- http-request lua.cidergrinder_mmdb_lookup\n+-- Sets the variable \"sess.cidergrinder_mmdb_result\" to the value of the\n+-- \"proxy\" field in the MMDB record for the client IP, if it exists.\n+-- Otherwise leaves it unset.\n+core.register_action(\"cidergrinder_mmdb_lookup\", { \"http-req\", \"tcp-req\" }, function(txn)\n+    if not cider_mmdb then\n+        return\n+    end\n+\n+    local ip = txn.f:src()\n+    local ok, result, status = pcall(cider_mmdb.lookup, cider_mmdb, ip)\n+    if not ok then\n+        return\n+    end\n+\n+    local ok, result = pcall(cider_mmdb.get, result, \"proxy\")\n+    if ok and result then\n+        txn:set_var(\"sess.cidergrinder_mmdb_result\", result)\n+    end\n+end)", "parameters": "--- File[/etc/haproxy/lua/cidergrinder_mmdb.lua].orig\n+++ File[/etc/haproxy/lua/cidergrinder_mmdb.lua]\n\n+    owner   => haproxy\n+    notify  => Service[haproxy]\n+    require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-maxminddb]']\n+    mode    => 0644\n+    before  => Service[haproxy]\n+    ensure  => file\n+    group   => haproxy\n"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "File[/usr/share/CIDERGRINDER]", "parameters": "--- File[/usr/share/CIDERGRINDER].orig\n+++ File[/usr/share/CIDERGRINDER]\n\n+    recurse => True\n+    owner   => root\n+    notify  => Service[haproxy]\n+    before  => Service[haproxy]\n+    ensure  => directory\n+    group   => root\n+    source  => puppet:///volatile/CIDERGRINDER\n"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -22,6 +22,8 @@\n     lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n     lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n+    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n+    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n \n     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n@@\n-    use_cidergrinder => False\n+    use_cidergrinder => True\n"}, {"resource": "Package[lua5.4-ciderbloom]", "parameters": "--- Package[lua5.4-ciderbloom].orig\n+++ Package[lua5.4-ciderbloom]\n\n+    ensure   => installed\n+    provider => apt\n"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.initial-window-size 65535\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-invalid-http-request\n    option     accept-invalid-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n+    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.initial-window-size 65535\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-invalid-http-request\n    option     accept-invalid-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n"}, {"resource": "File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "content": "--- /etc/haproxy/lua/cidergrinder_bloom.lua.orig\n+++ /etc/haproxy/lua/cidergrinder_bloom.lua\n@@ -0,0 +1,123 @@\n+-- Bloom filter lookup action for HAProxy\n+-- This module is part of the CIDERGRINDER project: https://gitlab.wikimedia.org/repos/sre/CIDERGRINDER\n+-- SPDX-License-Identifier: GPL-3.0-or-later\n+-- Copyright (C) 2026 Chris Danis & the Wikimedia Foundation\n+\n+local Bloom = require(\"bloom\")  -- our C library\n+\n+-- Global bloom filter instance\n+local bloom_filter = nil\n+local expected_payload_hash = nil\n+\n+local args = table.pack(...)\n+\n+core.register_init(function()\n+    if #args < 1 then\n+        core.Alert(\"Bloom filter file name not provided\")\n+        return\n+    end\n+\n+    local fname = args[1]\n+    local file = io.open(fname, \"rb\")  -- file io allowed in init context\n+    if not file then\n+        core.Alert(\"Failed to open bloom filter file: \" .. fname)\n+        return\n+    end\n+\n+    -- Parse the headers, make note of the checksum\n+    -- Example file contents:\n+    -- PUT /spur.bloom CIDERBLOOM/0.1\\r\\n\n+    -- Bits: 1234567\\r\\n\n+    -- Hashes: 13\\r\\n\n+    -- Payload-Xxhash3: abcdef1234567890\\r\\n\n+    -- Other-user-defined-metadata: value\\r\\n\n+    -- \\r\\n[binary data begins]\n+\n+    -- check the header line, should contain \"CIDERBLOOM/0.1\"\n+    local header = file:read(\"*l\")\n+    if not header or not header:match(\"CIDERBLOOM/0%.1\") then\n+        core.Alert(\"Invalid bloom filter file header: \" .. tostring(header))\n+        file:close()\n+        return\n+    end\n+\n+    local hdrs = {}\n+    -- parse key: value lines until we hit an empty line\n+    -- (keys will never contain whitespace or colons)\n+    while true do\n+        local line = file:read(\"*l\")\n+        if not line or line == \"\" or line == \"\\r\" then\n+            break\n+        end\n+        local key, value = line:match(\"^(.-):%s*(.-)%s*$\")\n+        if key and value then\n+            key = key:lower()\n+            hdrs[key] = value\n+        end\n+    end\n+\n+    if not hdrs[\"bits\"] or not hdrs[\"hashes\"] then\n+        core.Alert(\"Unable to load Bloom filter -- missing required metadata\")\n+        file:close()\n+        return\n+    end\n+\n+    if hdrs[\"payload-xxhash3\"] then\n+        local hash = tonumber(hdrs[\"payload-xxhash3\"], 16)\n+        expected_payload_hash = hash\n+    end\n+\n+-- TODO: we could take an expected granularity as an arg from the config file and\n+--       crosscheck that against the x-granularity header.\n+\n+    local bits = tonumber(hdrs[\"bits\"])\n+    local hashes = tonumber(hdrs[\"hashes\"])\n+    if not bits or not hashes then\n+        core.Alert(\"Invalid bloom filter header values\")\n+        file:close()\n+        return\n+    end\n+\n+    core.Debug(\"File payload offset: \" .. file:seek(\"cur\", 0))\n+\n+    local ok, bf_or_err = pcall(Bloom.open, file, bits, hashes)\n+    -- Safe to close the file on error or success; mmap() has our back.\n+    file:close()\n+    if not ok then\n+        core.Alert(\"Failed to initialize bloom filter from file: \" .. fname .. \" (\" .. tostring(bf_or_err) .. \")\")\n+        bloom_filter = nil\n+        return\n+    end\n+    bloom_filter = bf_or_err\n+\n+    if expected_payload_hash then\n+        local hash = bloom_filter:checksum()\n+        if hash ~= expected_payload_hash then\n+            core.Alert(string.format(\"Unloading the Bloom filter! checksum mismatch: expected %016x, got %016x\", expected_payload_hash, hash))\n+            bloom_filter = nil\n+        else\n+            core.Debug(string.format(\"Bloom filter checksum matches expected value: %016x\", hash))\n+        end\n+    else\n+        core.Warning(\"Bloom filter metadata lacks payload-xxhash3; skipping integrity check\")\n+    end\n+\n+    core.Info(string.format(\"Bloom filter %s loaded OK! parameters: bits=%d, hashes=%d\", fname, bits, hashes))\n+end)\n+\n+-- `http-request lua.bloom_lookup`\n+-- expects var(sess.prehashed) to be set to a hash value to check against the bloom filter\n+-- sets var(sess.bloom_result) to true or false based on the lookup\n+core.register_action(\"bloom_lookup\", { \"http-req\", \"tcp-req\" }, function(txn)\n+    if not bloom_filter then\n+        return\n+    end\n+\n+    local h = txn:get_var(\"sess.prehashed\")\n+    if h then\n+        local r = bloom_filter:contains_hashval(h)\n+        txn:set_var(\"sess.bloom_result\", r)\n+    end\n+end)\n+\n+core.Info(\"Bloom filter action registered\")", "parameters": "--- File[/etc/haproxy/lua/cidergrinder_bloom.lua].orig\n+++ File[/etc/haproxy/lua/cidergrinder_bloom.lua]\n\n+    owner   => haproxy\n+    notify  => Service[haproxy]\n+    require => ['File[/etc/haproxy/lua]', 'Package[lua5.4-ciderbloom]']\n+    mode    => 0644\n+    before  => Service[haproxy]\n+    ensure  => file\n+    group   => haproxy\n"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -181,6 +181,10 @@\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n+    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n+    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n+    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n "}], "perc_changed": "0.40%"}, "core": {"total": 4028, "only_in_self": [], "only_in_other": ["File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "File[/usr/share/CIDERGRINDER]", "Package[lua5.4-ciderbloom]"], "resource_diffs": [{"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -22,6 +22,8 @@\n     lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n     lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n+    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n+    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n \n     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"}, {"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -181,6 +181,10 @@\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n+    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n+    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n+    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n "}], "perc_changed": "0.15%"}, "main": {"total": 4028, "only_in_self": [], "only_in_other": ["File[/etc/haproxy/lua/cidergrinder_bloom.lua]", "File[/etc/haproxy/lua/cidergrinder_mmdb.lua]", "File[/usr/share/CIDERGRINDER]", "Package[lua5.4-ciderbloom]"], "resource_diffs": [{"resource": "Haproxy::Confd_site[tls]"}, {"resource": "Class[Haproxy]", "parameters": "--- Class[Haproxy].orig\n+++ Class[Haproxy]\n\n@@\n-    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.initial-window-size 65535\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-invalid-http-request\n    option     accept-invalid-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n+    config_content => # Note: This file is managed by puppet.\nglobal\n    user haproxy\n    group haproxy\n    stats socket /run/haproxy/haproxy.sock mode 600 expose-fd listeners level admin\n    log /var/lib/haproxy/dev/log local0 info\n    log /var/run/haproxykafka/haproxykafka.sock len 8192 format rfc5424 local0 info\n    tune.http.logurilen 2048\n    # do not keep old processes longer than 1m after a reload\n    hard-stop-after 1m\n    set-dumpable\n    nbthread 48\n    # NB: mapping too many cores (>~60) will cause HAProxy to complain about\n    # too long of a line and fail to start\n    cpu-map 1/1- 0 48 2 50 4 52 6 54 8 56 10 58 12 60 14 62 16 64 18 66 20 68 22 70 24 72 26 74 28 76 30 78 32 80 34 82 36 84 38 86 40 88 42 90 44 92 46 94\n\n    lua-prepend-path /etc/haproxy/lua/private/?.lua\n    lua-load-per-thread /etc/haproxy/lua/private/main.lua\n    lua-load-per-thread /etc/haproxy/lua/maxmind-lookup.lua\n    tune.ssl.capture-buffer-size 96\n    lua-load-per-thread /etc/haproxy/lua/ja3n.lua\n    lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n    lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n    lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n\n    ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n    ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\n    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384\n    ssl-dh-param-file /etc/ssl/dhparam.pem\n    tune.ssl.cachesize 512000\n    tune.ssl.lifetime 86400\n    maxconn 200000\n\n\n    tune.h2.header-table-size 4096\n    tune.h2.initial-window-size 65535\n    tune.h2.max-concurrent-streams 100\n\n\ndefaults\n    mode       http\n    log-format \"%rt %Tr %Tw %Tc %ST {%[capture.req.hdr(0)]} {%[capture.res.hdr(0)]} %ts\"\n    log-format-sd %{+E}o\\ [haproxykafka@0\\ server_pid=\\\"%pid\\\"\\ ip=\\\"%ci\\\"\\ sequence=\\\"%rt\\\"\\ dt=\\\"%tr\\\"\\ time_backend_response=\\\"%Tr\\\"\\ http_status=\\\"%ST\\\"\\ response_size=\\\"%B\\\"\\ termination_state=\\\"%ts\\\"\\ uri_host=\\\"%[capture.req.hdr(0),lua.utf8ps]\\\"\\ referer=\\\"%[capture.req.hdr(1),lua.utf8ps]\\\"\\ user_agent=\\\"%[capture.req.hdr(2),lua.utf8ps]\\\"\\ accept_language=\\\"%[capture.req.hdr(3),lua.utf8ps]\\\"\\ range=\\\"%[capture.req.hdr(4),lua.utf8ps]\\\"\\ accept=\\\"%[capture.req.hdr(5),lua.utf8ps]\\\"\\ tls=\\\"%[var(txn.tls)]\\\"\\ cache_status=\\\"%[var(txn.x_cache_status)]\\\"\\ content_type=\\\"%[var(txn.content_type)]\\\"\\ x_analytics=\\\"%[var(txn.x_analytics)]\\\"\\ x_cache=\\\"%[var(txn.x_cache)]\\\"\\ backend=\\\"%[var(txn.server)]\\\"\\ http_method=\\\"%HM\\\"\\ uri_path=\\\"%HPO\\\"\\ uri_query=\\\"%HQ\\\"]\n\n    option     dontlognull\n    option     accept-invalid-http-request\n    option     accept-invalid-http-response\n    option     http-ignore-probes\n    retries    1\n    timeout    connect 50000\n    timeout    client 500000\n    timeout    server 500000\n\n"}, {"resource": "Confd::File[/etc/haproxy/conf.d/tls.cfg]"}, {"resource": "Class[Adduser]", "parameters": "--- Class[Adduser].orig\n+++ Class[Adduser]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "File[/etc/haproxy/haproxy.cfg]", "content": "--- /etc/haproxy/haproxy.cfg.orig\n+++ /etc/haproxy/haproxy.cfg\n@@ -22,6 +22,8 @@\n     lua-load-per-thread /etc/haproxy/lua/ja4h.lua\n     lua-load-per-thread /etc/haproxy/lua/utf8ps.lua\n     lua-load-per-thread /etc/haproxy/lua/contact_info.lua\n+    lua-load-per-thread /etc/haproxy/lua/cidergrinder_mmdb.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.mmdb\n+    lua-load-per-thread /etc/haproxy/lua/cidergrinder_bloom.lua /usr/share/CIDERGRINDER/anonymous-residential.cider.bloom\n \n     ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3\n     ssl-default-bind-ciphers -ALL:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256"}, {"resource": "Class[Profile::Apt]", "parameters": "--- Class[Profile::Apt].orig\n+++ Class[Profile::Apt]\n\n@@\n-    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n+    before => ['Package[puppet]', 'Package[facter]', 'Package[augeas-tools]', 'Package[virt-what]', 'Package[puppet-module-puppetlabs-augeas-core]', 'Package[python3-prometheus-client]', 'Package[python3-yaml]', 'Package[ruby-net-ssh]', 'Package[openssl]', 'Package[ssl-cert]', 'Package[ca-certificates]', 'Package[wmf-certificates]', 'Package[ntp]', 'Package[systemd-timesyncd]', 'Package[exim4-config]', 'Package[exim4-daemon-light]', 'Package[logrotate]', 'Package[prometheus-node-exporter]', 'Package[bsdutils]', 'Package[smartmontools]', 'Package[rsyslog]', 'Package[rsyslog-openssl]', 'Package[cadvisor]', 'Package[acct]', 'Package[byobu]', 'Package[colordiff]', 'Package[curl]', 'Package[debian-goodies]', 'Package[ethtool]', 'Package[gdb]', 'Package[gdisk]', 'Package[git]', 'Package[htop]', 'Package[httpry]', 'Package[iotop]', 'Package[iperf]', 'Package[jq]', 'Package[libtemplate-perl]', 'Package[lldpd]', 'Package[lshw]', 'Package[molly-guard]', 'Package[moreutils]', 'Package[net-tools]', 'Package[numactl]', 'Package[ncdu]', 'Package[ngrep]', 'Package[pigz]', 'Package[psmisc]', 'Package[pv]', 'Package[python3]', 'Package[screen]', 'Package[strace]', 'Package[sysstat]', 'Package[tcpdump]', 'Package[tmux]', 'Package[tree]', 'Package[vim]', 'Package[vim-addon-manager]', 'Package[vim-scripts]', 'Package[wipe]', 'Package[xfsprogs]', 'Package[zsh]', 'Package[icdiff]', 'Package[linux-perf]', 'Package[bsd-mailx]', 'Package[ack]', 'Package[netcat-openbsd]', 'Package[tshark]', 'Package[fzf]', 'Package[ripgrep]', 'Package[fd-find]', 'Package[kitty-terminfo]', 'Package[mtr-tiny]', 'Package[bat]', 'Package[efibootmgr]', 'Package[bind9-dnsutils]', 'Package[tzdata]', 'Package[python3-wmflib]', 'Package[starship]', 'Package[ruby-sorted-set]', 'Package[btop]', 'Package[linux-sysctl-defaults]', 'Package[apport]', 'Package[command-not-found]', 'Package[command-not-found-data]', 'Package[ecryptfs-utils]', 'Package[mlocate]', 'Package[os-prober]', 'Package[python3-apport]', 'Package[wpasupplicant]', 'Package[atop]', 'Package[apt-listchanges]', 'Package[isc-dhcp-client]', 'Package[rasdaemon]', 'Package[openssh-client]', 'Package[openssh-server]', 'Package[debdeploy-client]', 'Package[python3-dateutil]', 'Package[sudo]', 'Package[golang-cfssl]', 'Package[debmonitor-client]', 'Package[perccli]', 'Package[nagios-nrpe-server]', 'Package[monitoring-plugins]', 'Package[monitoring-plugins-basic]', 'Package[monitoring-plugins-standard]', 'Package[liburiparser1]', 'Package[python3-attr]', 'Package[iucode-tool]', 'Package[freeipmi-tools]', 'Package[freeipmi-ipmiseld]', 'Package[rsyslog-kafka]', 'Package[emacs-nox]', 'Package[prometheus-ipmi-exporter]', 'Package[python3-conftool]', 'Package[prometheus-varnishkafka-exporter]', 'Package[purged]', 'Package[linux-cpupower]', 'Package[geoip-bin]', 'Package[mmdb-bin]', 'Package[libgeoip-dev]', 'Package[libmaxminddb-dev]', 'Package[python3-logstash]', 'Package[socat]', 'Package[haproxy]', 'Package[python3-pystemd]', 'Package[benthos]', 'Package[lua5.4-maxminddb]', 'Package[lua5.4-ciderbloom]', 'Package[wikimedia-lvs-realserver]', 'Package[python3-poolcounter]', 'Package[python3-jsonschema]', 'Package[python3-requests]', 'Package[libvmod-netmapper]', 'Package[libvmod-querysort]', 'Package[libvmod-wmfuniq]', 'Package[varnish]', 'Package[varnish-modules]', 'Package[varnish-re2]', 'Package[libsodium-dev]', 'Package[python3-nacl]', 'Package[tcp-mss-clamper]', 'Package[haproxykafka]', 'Package[ruby-concurrent]', 'Package[ruby]', 'Package[libruby]', 'Package[puppet-agent]', 'Package[prometheus-rsyslog-exporter]', 'Package[initramfs-tools]', 'Package[python3-click]', 'Package[python3-box]', 'Package[varnishkafka]', 'Package[confd]', 'Package[python3-toml]', 'Package[mtail]', 'Package[prometheus-varnish-exporter]', 'Package[trafficserver]', 'Package[trafficserver-experimental-plugins]', 'Package[lua-busted]', 'Package[prometheus-trafficserver-exporter]', 'Package[fifo-log-demux]']\n"}, {"resource": "File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]", "content": "--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig\n+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl\n@@ -181,6 +181,10 @@\n     # Check if the request originates from a known datacenter.\n     http-request lua.is_datacenter\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"datacenter=true\") if { var(txn.is_datacenter) -m bool }\n+    http-request lua.cidergrinder_mmdb_lookup unless { var(sess.cidergrinder_mmdb_result) -m found }\n+    http-request set-var(sess.prehashed) src,ipmask(32,64),xxh3 unless { var(sess.cidergrinder_mmdb_result) -m found } || { var(sess.prehashed) -m found }\n+    http-request lua.bloom_lookup unless { var(sess.cidergrinder_mmdb_result) -m bool }\n+    http-request set-var(req.provenance) var(req.provenance),add_item(\";\",,\"likely_resiproxy=true\") if { var(sess.cidergrinder_mmdb_result) -m bool } || { var(sess.bloom_result) -m bool }\n     http-request lua.res_proxy  # sets var txn.res_proxy to `proxy=foo` (or, doesn't)\n     http-request set-var(req.provenance) var(req.provenance),add_item(\";\",txn.res_proxy,\"\") if { var(txn.res_proxy) -m found }\n "}, {"resource": "Class[Profile::Cache::Haproxy]", "parameters": "--- Class[Profile::Cache::Haproxy].orig\n+++ Class[Profile::Cache::Haproxy]\n\n@@\n-    use_cidergrinder => False\n+    use_cidergrinder => True\n"}], "perc_changed": "0.30%"}}}