Hello,
Pass these time, i return to this situation.
I try to implement in this stick table a white and black list, one solution is
based on storing the ips and play with setting data.gpc0 1 or 0, ok, it work,
but the problem is now with networks.
The first isue is with the stick-table, this table is for store ips, not for a
subnet or a pice of it. For these reason, the first thing is to change "type
ip" to "type sting".
Now, the only workaround for match a subnet is storing it in a format like
match a 8/16/24 mask:
60.40.0
32.11
44
Well, now i can store what i want:
# table: name-of-back1, type: string, size:1048576, used:2
0x21559c4: key=10.0.0 use=0 exp=0 gpc0=1
0x2155a94: key=10.0.0.1 use=0 exp=0 gpc0=0
In this example, i want to deny all 10.0.0.0/24 network except for the host
10.0.0.1. But the problem now is match these situation, whit this code:
tcp-request content track-sc1 req.hdr(True-Client-IP,1)
http-request deny if { sc1_get_gpc0 gt 0 }
Only work if the exact content is match in the header True-Client-IP, thing
that is impossible in the case of networks.
I find in the doc the "hdr_beg" but over it have the text "ACL Derivates", and
i can't release a valid configuration working with it in my test.
¿Is i tpossible to do that, match the first characters of the track header?
¿any example conf with hdr_beg running in a tcp-request line?
Thanks,
________________________________
De: Ricardo Fraile <[email protected]>
Para: Baptiste <[email protected]>
CC: "[email protected]" <[email protected]>
Enviado: Miércoles 12 de junio de 2013 11:03
Asunto: Re: Block clients based on header in real time?
Fantastic!
Whith this conf, now, i can update the list with a simple:
# echo "set table name-of-the-table key 10.0.0.1 data.gpc0 1" | socat stdio
/var/run/haproxy.sock
And with a curl:
$ curl -I 127.0.0.1:80 -H "True-Client-IP: 10.0.0.1"
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
But one question more, if i need to block a subnet, how can i do it? I try to
store:
echo "set table name-of-the-table key 10.0.0.0/8 data.gpc0 1" | socat stdio
/var/run/haproxy.sock
but not work, and the same with only "10." in the same place of "10.0.0.0/8"
but nothing.
Thanks,
________________________________
De: Baptiste <[email protected]>
Para: Ricardo Fraile <[email protected]>
CC: "[email protected]" <[email protected]>
Enviado: Sábado 8 de junio de 2013 8:40
Asunto: Re: Block clients based on header in real time?
Hi Ricardo,
Actually, this is how I would do the conf:
stick-table type ip
size 1m store gpc0
tcp-request content track-sc1 req.hdr_ip(True-Client-IP)
http-request deny if { sc1_get_gpc0 gt 0 }
Then you can insert new data in the stick table using HAProxy UNIX
socket (which can run over TCP) with:
set table <table> key <key> data.<data_type> <value>
In example, to block 10.0.0.1:
set table mybackend key 1.0.0.1 data.gpc0 1
And you're done.
Here is the result when I test it with curl on my laptop:
$ curl 127.0.0.1:8080 -H "True-Client-IP: 10.0.0.1"
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
$ curl 127.0.0.1:8080
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
Baptiste
On Thu, May 30, 2013 at
12:50 PM, Ricardo Fraile <[email protected]> wrote:
> Hello,
>
> Ok, i update the server to 1.5 version but i have some troubles between
>stick-table and the acl.
>
> Before, i had:
>
> listen host1 *:80
> ...
> mode http
> acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
> block if block_invalid_client
> ...
>
> Now, i try to change the file to a stick table:
>
> backend host1
> ...
>
> stick-table type ip size 1m store gpc0
> acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
> http-request deny if block_invalid_client
>
...
>
> But not work:
>
> error detected while parsing ACL 'block_invalid_client' : '{' is not a
>valid IPv4 or IPv6 address.
> error detected while parsing an 'http-request deny' condition : no such
>ACL : 'block_invalid_client'.
>
>
> ¿Is it possible to match http header inside an acl to a stick table?
>
> Thanks,
>
>
>
>
> ----- Mensaje original -----
> De: Baptiste <[email protected]>
> Para: Ricardo Fraile <[email protected]>
> CC: "[email protected]" <[email protected]>
> Enviado: Miércoles 29 de Mayo de 2013 14:51
> Asunto: Re: Block clients based on header in real time?
>
> Hi,
>
> With latest HAProxy version, you could use a stick table and insert
> IPs in the stick table through HAProxy socket.
> Then you can ban all IPs from the stick table.
>
> Baptiste
>
>
> On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile <[email protected]> wrote:
>> Hello,
>>
>>
>> I'm looking for a solution for blocking users based on a header,
>>x-forwarded-for. I have yet an acl for this but is it possible to update the
>>list of ips without restart haproxy?
>>
>>
>> Thanks,
>>
>
