Add "location" match type for resource-level geoblocking

[az18]

Description

Currently, Pangolin allows rules with match type "ip" for resources. I'd like to propose adding a new match type called "location" that would check if an IP address corresponds to a specific geographical location (country/region), with the standard allow/deny logic we already have in place.

Why is this needed?

This feature would enable granular control over which countries can access specific resources within a Pangolin instance. While the community guide already provides a method for geoblocking at the instance level via Traefik (https://docs.fossorial.io/Community%20Guides/geoblock), implementing this at the resource level would give administrators more fine-grained control.

Implementation details

• New match type "location" for resource rules
• Would use standard IP geolocation techniques to determine user location
• Uses the same allow/deny logic as current IP rules
• Could leverage existing geolocation databases to map IP addresses to countries

Benefits

• Resource-by-resource control of country/regional access
• More flexible security policies
• Better control over content distribution based on geographical constraints

Would this be a valuable addition to Pangolin? I'm happy to provide more details if needed.

Example:

[th3cube]

In addition to the original feature request, it would be fantastic to extend this with support for blocking or allowing traffic based on BGP Autonomous System Numbers (ASNs). This could work similarly to how OPNsense implements it in their alias system, where you can map AS numbers to the networks they're responsible for and use them in firewall rules (see OPNsense BGP ASN docs). Cloudflare also offers ASN-based filtering in their firewall rules for similar purposes.

For context, an ASN is a unique identifier for a group of IP networks operated by an organization (more details on Wikipedia). This feature would allow users to create rules like "block all traffic from AS13335 (Cloudflare)" or "allow from AS8075 (Microsoft)", providing more granular control over traffic from specific providers or entities without manually maintaining IP lists.

This would be a powerful addition for security and traffic management, especially in setups dealing with dynamic IP ranges.

[oschwartz10612]

Tracking in #1187. Hope to do something soon.