Hi Jay, This may work if /stats is not hosted on same servers as application servers. You should better use something like : block if is_stats !is_owner
or better: (latest haproxy 1.5): http-request deny if is_stats !is_owner Baptiste On Wed, Mar 13, 2013 at 9:22 PM, Jay Christopherson <[email protected]> wrote: > I'm playing with filter access to a specific URI by IP, like listed below. > What I want is to have ALL requests for /stats be filtered through a list of > IP's. If you aren't on the list, no access is provided. > > frontend http > mode http > bind *:80 > acl is_stats url_beg /stats > acl is_owner_ip 1.2.3.4 5.6.7.0/24 > use_backend admin if is stats is_owner > default_backend web > > backend admin > <... servers ...> > > backend web > <... servers ...> > > Questions: > > 1. Is this going to work like I expect? I'm questioning whether it would > be possible for a user to hit "/stats" because I have a default_backend. It > seems like there could be a route past that backend filter. Maybe a user > not in the IP filter requests /stats -- wouldn't that use the > default_backend then? It seems like it wouldn't match my use_backed > definition and so would continue on to the default. > 2. Is there a cleaner way to do this by combining into a single ACL, > assuming the logic I have here is correct? > > Thanks!
