Fantastic! Whith this conf, now, i can update the list with a simple: # echo "set table name-of-the-table key 10.0.0.1 data.gpc0 1" | socat stdio /var/run/haproxy.sock
And with a curl: $ curl -I 127.0.0.1:80 -H "True-Client-IP: 10.0.0.1" HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close Content-Type: text/html But one question more, if i need to block a subnet, how can i do it? I try to store: echo "set table name-of-the-table key 10.0.0.0/8 data.gpc0 1" | socat stdio /var/run/haproxy.sock but not work, and the same with only "10." in the same place of "10.0.0.0/8" but nothing. Thanks, ________________________________ De: Baptiste <[email protected]> Para: Ricardo Fraile <[email protected]> CC: "[email protected]" <[email protected]> Enviado: Sábado 8 de junio de 2013 8:40 Asunto: Re: Block clients based on header in real time? Hi Ricardo, Actually, this is how I would do the conf: stick-table type ip size 1m store gpc0 tcp-request content track-sc1 req.hdr_ip(True-Client-IP) http-request deny if { sc1_get_gpc0 gt 0 } Then you can insert new data in the stick table using HAProxy UNIX socket (which can run over TCP) with: set table <table> key <key> data.<data_type> <value> In example, to block 10.0.0.1: set table mybackend key 1.0.0.1 data.gpc0 1 And you're done. Here is the result when I test it with curl on my laptop: $ curl 127.0.0.1:8080 -H "True-Client-IP: 10.0.0.1" <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html> $ curl 127.0.0.1:8080 <html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> Baptiste On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile <[email protected]> wrote: > Hello, > > Ok, i update the server to 1.5 version but i have some troubles between >stick-table and the acl. > > Before, i had: > > listen host1 *:80 > ... > mode http > acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst > block if block_invalid_client > ... > > Now, i try to change the file to a stick table: > > backend host1 > ... > > stick-table type ip size 1m store gpc0 > acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } > http-request deny if block_invalid_client > ... > > But not work: > > error detected while parsing ACL 'block_invalid_client' : '{' is not a >valid IPv4 or IPv6 address. > error detected while parsing an 'http-request deny' condition : no such >ACL : 'block_invalid_client'. > > > ¿Is it possible to match http header inside an acl to a stick table? > > Thanks, > > > > > ----- Mensaje original ----- > De: Baptiste <[email protected]> > Para: Ricardo Fraile <[email protected]> > CC: "[email protected]" <[email protected]> > Enviado: Miércoles 29 de Mayo de 2013 14:51 > Asunto: Re: Block clients based on header in real time? > > Hi, > > With latest HAProxy version, you could use a stick table and insert > IPs in the stick table through HAProxy socket. > Then you can ban all IPs from the stick table. > > Baptiste > > > On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile <[email protected]> wrote: >> Hello, >> >> >> I'm looking for a solution for blocking users based on a header, >>x-forwarded-for. I have yet an acl for this but is it possible to update the >>list of ips without restart haproxy? >> >> >> Thanks, >> >
