On Wed, Aug 31, 2011 at 12:37 AM, David Birdsong <[email protected]> wrote: > On Tue, Jun 14, 2011 at 10:41 PM, Willy Tarreau <[email protected]> wrote: >> On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote: >>> I want to create an ACL based on X-Forwarded-For: >>> >>> acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt >>> block unless whitelist >>> >>> Which is just grand, EXCEPT I'm only interested in (and trust) the last >>> address in the X-Forwarded-For header. The above acl matches any address >>> in the header. I've been digging for a good chunk of the day how to do >>> that and come up empty handed. Help? >> >> Since we have not yet reworked the ACLs to rely on the pattern subsystem, >> it's still not possible to make use of "hdr_ip(X-f-f,-1)" as we do on the >> "balance" or "source" keywords. > > Could I get clarification on this thread? If a requests comes in with > XFF looking like: > X-Forwarded-For: 8.8.8.8, 10.114.102.96, 174.129.82.0, 10.71.74.198 > > and i have an acl in my frotend > acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/block_ip.txt > > will bad_guys_ip be set if block_ip.txt contains: > - 8.8.8.8 > OR > - 174.129.82.0 > OR > - both?
any of the ip in your block_ip.txt file should match. cheers
