On Mon, Jan 18, 2016 at 8:49 AM, [email protected]
<[email protected]> wrote:
> Hi all,
>
> I'm planning to use haproxy for filtering connections behind, using a
> whitelist file, like below.
>
> frontend Hybrid_Exchange_Connector_TCP_25
> timeout client 30m
> mode tcp
> bind 172.16.151.136:25 name SMTP
> #
> https://technet.microsoft.com/en-us/library/dn163583%28v=exchg.150%29.aspx
> tcp-request connection reject if !{ src -f
> /etc/haproxy/whitelist.lst }
> default_backend bk_Hybrid_Exchange_Connector_TCP_25
> backend bk_Hybrid_Exchange_Connector_TCP_25
> timeout server 30m
> timeout connect 5s
> mode tcp
> balance leastconn
> stick-table type ip size 20k
> stick on src
> default-server inter 5s fall 3 rise 2 on-marked-down
> shutdown-sessions
> server exch1 172.17.120.183 weight 10 check port 25 maxconn 1000
> server exch2 172.17.120.184 weight 10 check port 25 maxconn 1000
>
> but, if i try to connect from another IP that isn't in that whitelist file,
> i'm still able to connect to server behind for a few moments.
> There is a way to set haproxy in order to DENY/DROP connections, like
> iptables does?
>
> thank you,
> Marius
>
>
>
Hi Mat,
You may want to write it like this:
tcp-request connection reject unless { src -f /etc/haproxy/whitelist.lst }
What type of content do you have in your whitelist file?
Do you run HAProxy in multiprocess mode?
note: the whitelist applies to NEW connections, not to already established ones.
Baptiste
