On Mon, Nov 05, 2012 at 01:52:26AM +0800, Igor wrote:
> Thanks for the explanation, so can you give me a conf example for
> doing this? Define a stick-table for storing IPs from UNIX socket
> inject, but how to use these IPs for whitelist?
not tested, but probably something like the following would do it :
frontend filter
bind :80
tcp-request connection reject if { src_get_gpc0(whitelist) gt 0
}
...
backend whitelist
stick-table type ip size 1m store gpc0
So the frontend "filter" checks for the presence of a non-zero value for the
key corresponding to the source IP address in table "whitelist" (which must
be declared in a backend). The table stores up to 1 million keys of type "ip"
(IPv4) and for each store a variable "gpc0" which is a general purpose counter
that you can use for anything.
To feed/remove entries, you have to connect to the stats socket using socat :
echo "set table whitelist key 192.168.0.1 data.gpc0 1" | socat stdio
/var/run/haproxy.sock
and either :
echo "set table whitelist key 192.168.0.1 data.gpc0 0" | socat stdio
/var/run/haproxy.sock
or :
echo "clear table whitelist key 192.168.0.1" | socat stdio
/var/run/haproxy.sock
to remove them.
Using peers, you can even sync the tables between multiple haproxies and
ensure that they're preserved across reloads.
Regards,
Willy
