Hi If you only have one range and it does not change often then a acl file should be avoided.
http-request deny unless src 123.123.123.123/123 If you have more than one range a acl should be used Only if you have many or they change often would a file suit. Is clearer imho Neil On 16 Jul 2014 17:10, "Baptiste" <[email protected]> wrote: > On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John <[email protected]> wrote: > > > > Hi Guys, > > > > > > > > I want to only allow certain internal company IP addresses to have > access to one of my web farms. I am using haproxy 1.5 on Debian 7. > > > > > > > > I am using a whitelist.lst file with the following contents... > > > > > > > > 10.0.0.0/8 > > > > > > > > Here is my frontend configuration... > > > > > > > > frontend https-in > > > > bind *:443 ssl crt > /etc/ssl/xxx.cert.chain.pem > > > > http-request allow if { src -f > /etc/haproxy/whitelist.lst } > > > > reqadd X-Forwarded-Proto:https > > > > reqadd X-Forwarded-Port:443 > > > > timeout client 600000 > > > > > > > > default-backend web > > > > > > > > However any IP is still allowed through this frontend. It does not > appear to be restricting access to any other IP. Am I missing something in > my configuration? > > > > > > > > Thanks > > > > > > > > > > > > John Dzialo | Linux System Administrator > > > > Direct 203.783.8163 | Main 800.352.0050 > > > > > > > > Environmental Data Resources, Inc. > > > > 440 Wheelers Farms Road, Milford, CT 06461 > > > > www.edrnet.com | commonground.edrnet.com > > > > > > > > > > > > Hi John, > > Please avoid HTML mails... > > Give a try to the following configuration: > http-request deny unless { src -f /etc/haproxy/whitelist.lst } > > > Baptiste > >
