On Tue, Jun 14, 2011 at 10:41 PM, Willy Tarreau <[email protected]> wrote: > On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote: >> I want to create an ACL based on X-Forwarded-For: >> >> acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt >> block unless whitelist >> >> Which is just grand, EXCEPT I'm only interested in (and trust) the last >> address in the X-Forwarded-For header. The above acl matches any address in >> the header. I've been digging for a good chunk of the day how to do that >> and come up empty handed. Help? > > Since we have not yet reworked the ACLs to rely on the pattern subsystem, > it's still not possible to make use of "hdr_ip(X-f-f,-1)" as we do on the > "balance" or "source" keywords.
Could I get clarification on this thread? If a requests comes in with XFF looking like: X-Forwarded-For: 8.8.8.8, 10.114.102.96, 174.129.82.0, 10.71.74.198 and i have an acl in my frotend acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/block_ip.txt will bad_guys_ip be set if block_ip.txt contains: - 8.8.8.8 OR - 174.129.82.0 OR - both? > > One thing you could do, despite not being very good, is to remove all > occurrences of values in the header. Basically, remove everything from > the first char to the last comma : > > reqirep ^(X-Forwarded-For:\ ).*,([^,]*) \1\2 > > Then your ACL could match based on what is left in this header. > > Regards, > Willy > > >
