Hello, Pass these time, i return to this situation.
I try to implement in this stick table a white and black list, one solution is based on storing the ips and play with setting data.gpc0 1 or 0, ok, it work, but the problem is now with networks. The first isue is with the stick-table, this table is for store ips, not for a subnet or a pice of it. For these reason, the first thing is to change "type ip" to "type sting". Now, the only workaround for match a subnet is storing it in a format like match a 8/16/24 mask: 60.40.0 32.11 44 Well, now i can store what i want: # table: name-of-back1, type: string, size:1048576, used:2 0x21559c4: key=10.0.0 use=0 exp=0 gpc0=1 0x2155a94: key=10.0.0.1 use=0 exp=0 gpc0=0 In this example, i want to deny all 10.0.0.0/24 network except for the host 10.0.0.1. But the problem now is match these situation, whit this code: tcp-request content track-sc1 req.hdr(True-Client-IP,1) http-request deny if { sc1_get_gpc0 gt 0 } Only work if the exact content is match in the header True-Client-IP, thing that is impossible in the case of networks. I find in the doc the "hdr_beg" but over it have the text "ACL Derivates", and i can't release a valid configuration working with it in my test. ¿Is i tpossible to do that, match the first characters of the track header? ¿any example conf with hdr_beg running in a tcp-request line? Thanks, ________________________________ De: Ricardo Fraile <rfra...@yahoo.es> Para: Baptiste <bed...@gmail.com> CC: "haproxy@formilux.org" <haproxy@formilux.org> Enviado: Miércoles 12 de junio de 2013 11:03 Asunto: Re: Block clients based on header in real time? Fantastic! Whith this conf, now, i can update the list with a simple: # echo "set table name-of-the-table key 10.0.0.1 data.gpc0 1" | socat stdio /var/run/haproxy.sock And with a curl: $ curl -I 127.0.0.1:80 -H "True-Client-IP: 10.0.0.1" HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close Content-Type: text/html But one question more, if i need to block a subnet, how can i do it? I try to store: echo "set table name-of-the-table key 10.0.0.0/8 data.gpc0 1" | socat stdio /var/run/haproxy.sock but not work, and the same with only "10." in the same place of "10.0.0.0/8" but nothing. Thanks, ________________________________ De: Baptiste <bed...@gmail.com> Para: Ricardo Fraile <rfra...@yahoo.es> CC: "haproxy@formilux.org" <haproxy@formilux.org> Enviado: Sábado 8 de junio de 2013 8:40 Asunto: Re: Block clients based on header in real time? Hi Ricardo, Actually, this is how I would do the conf: stick-table type ip size 1m store gpc0 tcp-request content track-sc1 req.hdr_ip(True-Client-IP) http-request deny if { sc1_get_gpc0 gt 0 } Then you can insert new data in the stick table using HAProxy UNIX socket (which can run over TCP) with: set table <table> key <key> data.<data_type> <value> In example, to block 10.0.0.1: set table mybackend key 1.0.0.1 data.gpc0 1 And you're done. Here is the result when I test it with curl on my laptop: $ curl 127.0.0.1:8080 -H "True-Client-IP: 10.0.0.1" <html><body><h1>403 Forbidden</h1> Request forbidden by administrative rules. </body></html> $ curl 127.0.0.1:8080 <html><body><h1>503 Service Unavailable</h1> No server is available to handle this request. </body></html> Baptiste On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile <rfra...@yahoo.es> wrote: > Hello, > > Ok, i update the server to 1.5 version but i have some troubles between >stick-table and the acl. > > Before, i had: > > listen host1 *:80 > ... > mode http > acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst > block if block_invalid_client > ... > > Now, i try to change the file to a stick table: > > backend host1 > ... > > stick-table type ip size 1m store gpc0 > acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } > http-request deny if block_invalid_client > ... > > But not work: > > error detected while parsing ACL 'block_invalid_client' : '{' is not a >valid IPv4 or IPv6 address. > error detected while parsing an 'http-request deny' condition : no such >ACL : 'block_invalid_client'. > > > ¿Is it possible to match http header inside an acl to a stick table? > > Thanks, > > > > > ----- Mensaje original ----- > De: Baptiste <bed...@gmail.com> > Para: Ricardo Fraile <rfra...@yahoo.es> > CC: "haproxy@formilux.org" <haproxy@formilux.org> > Enviado: Miércoles 29 de Mayo de 2013 14:51 > Asunto: Re: Block clients based on header in real time? > > Hi, > > With latest HAProxy version, you could use a stick table and insert > IPs in the stick table through HAProxy socket. > Then you can ban all IPs from the stick table. > > Baptiste > > > On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile <rfra...@yahoo.es> wrote: >> Hello, >> >> >> I'm looking for a solution for blocking users based on a header, >>x-forwarded-for. I have yet an acl for this but is it possible to update the >>list of ips without restart haproxy? >> >> >> Thanks, >> >