Re: url_ip is not properly extracted in HTTP CONNECT method ?

Fri, 02 Oct 2015 05:42:08 -0700 

I think the difference is in second case, HAProxy takes into account the subnet.

make it faster like this:
 acl forbidden_dst url -m ip 192.168.0.0/24 172.16.0.0/12 10.0.0.0/8
 acl forbidden_dst url_dom -m ip 192.168.0.0/24 172.16.0.0/12 10.0.0.0/8

the IP list is stored into a tree, so that's very fast and even faster
with the conf above since you'll perform only 2 lookups instead of 6.

Baptiste


On Thu, Oct 1, 2015 at 2:40 PM, Pavlo Zhuk <[email protected]> wrote:
> Workardound:
> I was able to implement same funtionality with -m ip on url matching, which
> is probably more expensive on CPU usage
>
>        acl forbidden_dst url -m ip 192.168.0.0/24
>        acl forbidden_dst url -m ip 172.16.0.0/12
>        acl forbidden_dst url -m ip 10.0.0.0/8
>        acl forbidden_dst url_dom -m ip 192.168.0.0/24
>        acl forbidden_dst url_dom -m ip 172.16.0.0/12
>        acl forbidden_dst url_dom -m ip 10.0.0.0/8
>
>
> ---------- Forwarded message ----------
> From: Pavlo Zhuk <[email protected]>
> Date: Thu, Oct 1, 2015 at 2:13 PM
> Subject: url_ip is not properly extracted in HTTP CONNECT method ?
> To: [email protected]
>
>
> Dears,
>
> I am trying to filter traversal access to my lan via HTTP CONNECT method.
> And I tried to use acl with url_ip based on private ip range constants.
>
> Apparently this method works for HTTP GET, but isn't working for HTTP
> CONNECT.
> Is there any other way to inspect HTTP CONNECT destination?
>
> My config:
>
>
>        acl forbidden_dst url_ip 192.168.0.0/24
>        acl forbidden_dst url_ip 172.16.0.0/12
>        acl forbidden_dst url_ip 10.0.0.0/8
>
>
>        http-request deny if forbidden_dst
>
>
>
> Log for HTTP GET, request blocked:
>
> Oct  1 11:08:37 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35963
> [01/Oct/2015:11:08:37.182] proxy-in proxy-in/<NOSRV> 0/-1/-1/-1/0 403 188 -
> - PR-- 0/0/0/0/
> 0 0/0 "GET http://10.1.1.1:22/ HTTP/1.1"
>
>
> Log for HTTP CONNECT, request bypassed (reponded as HTTP/403 by backend
> service)
>
> Oct  1 11:08:55 ip-10-2-170-57 haproxy[2227]: x.x.x.x:35966
> [01/Oct/2015:11:08:55.101] proxy-in proxy/i-4c333482 0/0/1/2/3 403 423 - -
> ---- 1/1/0/0/0 0
> /0 "CONNECT 10.1.1.1:22 HTTP/1.1"
>
>
> --
> BR,
> Pavlo Zhuk
>
>
>
>
> --
> BR,
> Pavlo Zhuk
> +38093 2412222

Reply via email to