Re: Block clients based on header in real time?

Fri, 07 Jun 2013 23:41:02 -0700 

Hi Ricardo,

Actually, this is how I would do the conf:
  stick-table type ip size 1m store gpc0
  tcp-request content track-sc1 req.hdr_ip(True-Client-IP)
  http-request deny if { sc1_get_gpc0 gt 0 }


Then you can insert new data in the stick table using HAProxy UNIX
socket (which can run over TCP) with:
  set table <table> key <key> data.<data_type> <value>
In example, to block 10.0.0.1:
  set table mybackend key 1.0.0.1 data.gpc0 1

And you're done.

Here is the result when I test it with curl on my laptop:

$ curl 127.0.0.1:8080 -H "True-Client-IP: 10.0.0.1"

<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>


$ curl 127.0.0.1:8080

<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>


Baptiste


On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile <[email protected]> wrote:
> Hello,
>
>    Ok, i update the server to 1.5 version but i have some troubles between 
> stick-table and the acl.
>
>    Before, i had:
>
> listen host1 *:80
>     ...
>     mode http
>     acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
>     block if block_invalid_client
>     ...
>
>    Now, i try to change the file to a stick table:
>
> backend host1
>     ...
>
>     stick-table type ip size 1m store gpc0
>     acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
>     http-request deny if block_invalid_client
>     ...
>
>     But not work:
>
>     error detected while parsing ACL 'block_invalid_client' : '{' is not a 
> valid IPv4 or IPv6 address.
>     error detected while parsing an 'http-request deny' condition : no such 
> ACL : 'block_invalid_client'.
>
>
>     ¿Is it possible to match http header inside an acl to a stick table?
>
> Thanks,
>
>
>
>
> ----- Mensaje original -----
> De: Baptiste <[email protected]>
> Para: Ricardo Fraile <[email protected]>
> CC: "[email protected]" <[email protected]>
> Enviado: Miércoles 29 de Mayo de 2013 14:51
> Asunto: Re: Block clients based on header in real time?
>
> Hi,
>
> With latest HAProxy version, you could use a stick table and insert
> IPs in the stick table through HAProxy socket.
> Then you can ban all IPs from the stick table.
>
> Baptiste
>
>
> On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile <[email protected]> wrote:
>> Hello,
>>
>>
>>    I'm looking for a solution for blocking users based on a header, 
>> x-forwarded-for. I have yet an acl for this but is it possible to update the 
>> list of ips without restart haproxy?
>>
>>
>> Thanks,
>>
>

Reply via email to