Re: Block clients based on header in real time?

Thu, 30 May 2013 09:57:44 -0700 

I continue trying configurations, looking in the list and some blogs, but i 
can't ban ips from a stick table or i don't know how. The last that i try:

backend host:80
        stick-table type ip size 1m  store gpc0
        http-request deny if hdr_sub(True-Client-IP) #How i check here if the 
True-Client-IP is inside the stick-table?


In the table, i put the ips by hand, it looks like this:

show table host
# table: back-idealista.es-http, type: ip, size:1048576, used:2
0xcae6c4: key=192.168.1.5 use=0 exp=0 gpc0=1
0xcdac34: key=192.168.1.6 use=0 exp=0 gpc0=1


The more similar is this message in the list: 
http://comments.gmane.org/gmane.comp.web.haproxy/9938 but the problem is that 
there the ip of the client is inside a header.


Thanks,



----- Mensaje original -----
De: Ricardo Fraile <[email protected]>
Para: "[email protected]" <[email protected]>
CC: 
Enviado: Jueves 30 de Mayo de 2013 12:50
Asunto: Re: Block clients based on header in real time?

Hello,

   Ok, i update the server to 1.5 version but i have some troubles between 
stick-table and the acl.

   Before, i had:

listen host1 *:80
    ...
    mode http
    acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
    block if block_invalid_client
    ... 

   Now, i try to change the file to a stick table:

backend host1
    ...

    stick-table type ip size 1m store gpc0
    acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
    http-request deny if block_invalid_client
    ...

    But not work:

    error detected while parsing ACL 'block_invalid_client' : '{' is not a 
valid IPv4 or IPv6 address.
    error detected while parsing an 'http-request deny' condition : no such ACL 
: 'block_invalid_client'.


    ¿Is it possible to match http header inside an acl to a stick table?

Thanks, 




----- Mensaje original -----
De: Baptiste <[email protected]>
Para: Ricardo Fraile <[email protected]>
CC: "[email protected]" <[email protected]>
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?

Hi,

With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.

Baptiste


On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile <[email protected]> wrote:
> Hello,
>
>
>    I'm looking for a solution for blocking users based on a header, 
>x-forwarded-for. I have yet an acl for this but is it possible to update the 
>list of ips without restart haproxy?
>
>
> Thanks,
>

Reply via email to