>>>>>> or better: (latest haproxy 1.5): http-request deny if is_stats !is_owner <<<<<<
Awesome, works like a charm. Thanks! On Wed, Mar 13, 2013 at 1:55 PM, Baptiste <[email protected]> wrote: > Hi Jay, > > This may work if /stats is not hosted on same servers as application > servers. > You should better use something like : > block if is_stats !is_owner > > or better: (latest haproxy 1.5): > http-request deny if is_stats !is_owner > > Baptiste > > > On Wed, Mar 13, 2013 at 9:22 PM, Jay Christopherson > <[email protected]> wrote: > > I'm playing with filter access to a specific URI by IP, like listed > below. > > What I want is to have ALL requests for /stats be filtered through a > list of > > IP's. If you aren't on the list, no access is provided. > > > > frontend http > > mode http > > bind *:80 > > acl is_stats url_beg /stats > > acl is_owner_ip 1.2.3.4 5.6.7.0/24 > > use_backend admin if is stats is_owner > > default_backend web > > > > backend admin > > <... servers ...> > > > > backend web > > <... servers ...> > > > > Questions: > > > > 1. Is this going to work like I expect? I'm questioning whether it > would > > be possible for a user to hit "/stats" because I have a default_backend. > It > > seems like there could be a route past that backend filter. Maybe a user > > not in the IP filter requests /stats -- wouldn't that use the > > default_backend then? It seems like it wouldn't match my use_backed > > definition and so would continue on to the default. > > 2. Is there a cleaner way to do this by combining into a single ACL, > > assuming the logic I have here is correct? > > > > Thanks! >
