RE: Using a WhiteList in HAProxy 1.5

Wed, 16 Jul 2014 11:18:00 -0700 

Thanks Baptiste and Neil.

I do have multiple subnets I just posted one for the case.  I agree if you have 
only one it’s easier to handle in an acl.

Using deny unless worked perfectly!



From: [email protected] [mailto:[email protected]] On Behalf Of Neil - 
HAProxy List
Sent: Wednesday, July 16, 2014 12:29 PM
To: Baptiste
Cc: JDzialo John; HAProxy
Subject: Re: Using a WhiteList in HAProxy 1.5


Hi

If you only have one range and it does not change often then a acl file should 
be avoided.

http-request deny unless src 123.123.123.123/123<http://123.123.123.123/123>

If you have more than one range a acl should be used

Only if you have many or they change often would a file suit.
Is clearer imho

Neil
On 16 Jul 2014 17:10, "Baptiste" <[email protected]<mailto:[email protected]>> 
wrote:
On Wed, Jul 16, 2014 at 5:45 PM, JDzialo John 
<[email protected]<mailto:[email protected]>> wrote:
>
> Hi Guys,
>
>
>
> I want to only allow certain internal company IP addresses to have access to 
> one of my web farms.  I am using haproxy 1.5 on Debian 7.
>
>
>
> I am using a whitelist.lst file with the following contents...
>
>
>
>                 10.0.0.0/8<http://10.0.0.0/8>
>
>
>
> Here is my frontend configuration...
>
>
>
>                 frontend https-in
>
>                                 bind *:443 ssl crt /etc/ssl/xxx.cert.chain.pem
>
>                                 http-request allow if { src -f 
> /etc/haproxy/whitelist.lst }
>
>                                 reqadd X-Forwarded-Proto:https
>
>                                 reqadd X-Forwarded-Port:443
>
>                                 timeout client 600000
>
>
>
>                                 default-backend web
>
>
>
> However any IP is still allowed through this frontend.  It does not appear to 
> be restricting access to any other IP.  Am I missing something in my 
> configuration?
>
>
>
> Thanks
>
>
>
>
>
> John Dzialo | Linux System Administrator
>
> Direct 203.783.8163<tel:203.783.8163> | Main 800.352.0050<tel:800.352.0050>
>
>
>
> Environmental Data Resources, Inc.
>
> 440 Wheelers Farms Road, Milford, CT 06461
>
> www.edrnet.com<http://www.edrnet.com> | 
> commonground.edrnet.com<http://commonground.edrnet.com>
>
>
>
>



Hi John,

Please avoid HTML mails...

Give a try to the following configuration:
  http-request deny unless { src -f /etc/haproxy/whitelist.lst }


Baptiste

Reply via email to