Dear David,
On 24-04-2012 01:31, David Birdsong wrote:
On Mon, Apr 23, 2012 at 2:48 PM, Kevin Heatwole <ke...@heatwoles.us>
wrote:
You might want to block the IPs before they get into haproxy.
Maybe put an nginx reverse proxy in front of haproxy?
I use nginx to dynamically block/allow HTTP requests by IP.
Another possibility, if you just need to block a list of IPs would
be to
use a firewall/iptables in front of haproxy to do the blocking.
- nginx is already in front of haproxy, but nginx is not the first
listener, so it sees the IP addresses as HTTP headers too. the last
time I checked nginx only blocks IP addresses from layer 4
connections. any other blocking would require nginx to compare the IP
addresses as strings or regexes which I want to avoid doing on every
single request. if the list grows long, every request suffers. ip
comparison on long lists of IP's is one area where haproxy is the
clear winner
Depend on the list size maybe you can use the map module from nginx.
http://nginx.org/en/docs/http/ngx_http_map_module.html
The map module can also handle regex matches.
For example:
http://serverfault.com/questions/316541/check-several-user-agent-in-nginx
http://www.ruby-forum.com/topic/2440219
http://redant.com.au/blog/manage-ssl-redirection-in-nginx-using-maps-and-save-the-universe/
- iptables won't work either, iptables works on TCP/IP not HTTP
Depend of your iptables setup maybe you can use the string matching
module.
http://spamcleaner.org/en/misc/w00tw00t.html
i'd like to keep IP blocking in haproxy.
ok
BR
Aleks
