Workardound:
I was able to implement same funtionality with -m ip on url matching, which
is probably more expensive on CPU usage
acl forbidden_dst url -m ip 192.168.0.0/24
acl forbidden_dst url -m ip 172.16.0.0/12
acl forbidden_dst url -m ip 10.0.0.0/8
acl forbidden_dst url_dom -m ip 192.168.0.0/24
acl forbidden_dst url_dom -m ip 172.16.0.0/12
acl forbidden_dst url_dom -m ip 10.0.0.0/8
---------- Forwarded message ----------
From: Pavlo Zhuk <[email protected]>
Date: Thu, Oct 1, 2015 at 2:13 PM
Subject: url_ip is not properly extracted in HTTP CONNECT method ?
To: [email protected]
Dears,
I am trying to filter traversal access to my lan via HTTP CONNECT method.
And I tried to use acl with url_ip based on private ip range constants.
Apparently this method works for HTTP GET, but isn't working for HTTP
CONNECT.
Is there any other way to inspect HTTP CONNECT destination?
My config:
acl forbidden_dst url_ip 192.168.0.0/24
acl forbidden_dst url_ip 172.16.0.0/12
acl forbidden_dst url_ip 10.0.0.0/8
http-request deny if forbidden_dst
Log for HTTP GET, request blocked:
Oct 1 11:08:37 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35963
[01/Oct/2015:11:08:37.182] proxy-in proxy-in/<NOSRV> 0/-1/-1/-1/0 403 188 -
- PR-- 0/0/0/0/
0 0/0 "GET http://10.1.1.1:22/ HTTP/1.1"
Log for HTTP CONNECT, request bypassed (reponded as HTTP/403 by backend
service)
Oct 1 11:08:55 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35966
[01/Oct/2015:11:08:55.101] proxy-in proxy/i-4c333482 0/0/1/2/3 403 423 - -
---- 1/1/0/0/0 0
/0 "CONNECT 10.1.1.1:22 HTTP/1.1"
--
BR,
Pavlo Zhuk
--
BR,
Pavlo Zhuk
+38093 2412222
