Hi Ricardo, Actually, this is how I would do the conf: stick-table type ip size 1m store gpc0 tcp-request content track-sc1 req.hdr_ip(True-Client-IP) http-request deny if { sc1_get_gpc0 gt 0 }
Then you can insert new data in the stick table using HAProxy UNIX socket (which can run over TCP) with: set table <table> key <key> data.<data_type> <value> In example, to block 10.0.0.1: set table mybackend key 1.0.0.1 data.gpc0 1 And you're done. Here is the result when I test it with curl on my laptop: $ curl 127.0.0.1:8080 -H "True-Client-IP: 10.0.0.1" <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html> $ curl 127.0.0.1:8080 <html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> Baptiste On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile <rfra...@yahoo.es> wrote: > Hello, > > Ok, i update the server to 1.5 version but i have some troubles between > stick-table and the acl. > > Before, i had: > > listen host1 *:80 > ... > mode http > acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst > block if block_invalid_client > ... > > Now, i try to change the file to a stick table: > > backend host1 > ... > > stick-table type ip size 1m store gpc0 > acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } > http-request deny if block_invalid_client > ... > > But not work: > > error detected while parsing ACL 'block_invalid_client' : '{' is not a > valid IPv4 or IPv6 address. > error detected while parsing an 'http-request deny' condition : no such > ACL : 'block_invalid_client'. > > > ¿Is it possible to match http header inside an acl to a stick table? > > Thanks, > > > > > ----- Mensaje original ----- > De: Baptiste <bed...@gmail.com> > Para: Ricardo Fraile <rfra...@yahoo.es> > CC: "haproxy@formilux.org" <haproxy@formilux.org> > Enviado: Miércoles 29 de Mayo de 2013 14:51 > Asunto: Re: Block clients based on header in real time? > > Hi, > > With latest HAProxy version, you could use a stick table and insert > IPs in the stick table through HAProxy socket. > Then you can ban all IPs from the stick table. > > Baptiste > > > On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile <rfra...@yahoo.es> wrote: >> Hello, >> >> >> I'm looking for a solution for blocking users based on a header, >> x-forwarded-for. I have yet an acl for this but is it possible to update the >> list of ips without restart haproxy? >> >> >> Thanks, >> >