On Tue, Aug 30, 2011 at 4:04 PM, Baptiste <[email protected]> wrote: > On Wed, Aug 31, 2011 at 12:37 AM, David Birdsong > <[email protected]> wrote: >> On Tue, Jun 14, 2011 at 10:41 PM, Willy Tarreau <[email protected]> wrote: >>> On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote: >>>> I want to create an ACL based on X-Forwarded-For: >>>> >>>> acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt >>>> block unless whitelist >>>> >>>> Which is just grand, EXCEPT I'm only interested in (and trust) the last >>>> address in the X-Forwarded-For header. The above acl matches any address >>>> in the header. I've been digging for a good chunk of the day how to do >>>> that and come up empty handed. Help? >>> >>> Since we have not yet reworked the ACLs to rely on the pattern subsystem, >>> it's still not possible to make use of "hdr_ip(X-f-f,-1)" as we do on the >>> "balance" or "source" keywords. >> >> Could I get clarification on this thread? If a requests comes in with >> XFF looking like: >> X-Forwarded-For: 8.8.8.8, 10.114.102.96, 174.129.82.0, 10.71.74.198 >> >> and i have an acl in my frotend >> acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/block_ip.txt >> >> will bad_guys_ip be set if block_ip.txt contains: >> - 8.8.8.8 >> OR >> - 174.129.82.0 >> OR >> - both? > > any of the ip in your block_ip.txt file should match.
great, thanks. > > cheers >
