On Mon, Jan 18, 2016 at 8:49 AM, mat.mar...@yahoo.com <mat.mar...@yahoo.com> wrote: > Hi all, > > I'm planning to use haproxy for filtering connections behind, using a > whitelist file, like below. > > frontend Hybrid_Exchange_Connector_TCP_25 > timeout client 30m > mode tcp > bind 172.16.151.136:25 name SMTP > # > https://technet.microsoft.com/en-us/library/dn163583%28v=exchg.150%29.aspx > tcp-request connection reject if !{ src -f > /etc/haproxy/whitelist.lst } > default_backend bk_Hybrid_Exchange_Connector_TCP_25 > backend bk_Hybrid_Exchange_Connector_TCP_25 > timeout server 30m > timeout connect 5s > mode tcp > balance leastconn > stick-table type ip size 20k > stick on src > default-server inter 5s fall 3 rise 2 on-marked-down > shutdown-sessions > server exch1 172.17.120.183 weight 10 check port 25 maxconn 1000 > server exch2 172.17.120.184 weight 10 check port 25 maxconn 1000 > > but, if i try to connect from another IP that isn't in that whitelist file, > i'm still able to connect to server behind for a few moments. > There is a way to set haproxy in order to DENY/DROP connections, like > iptables does? > > thank you, > Marius > > >
Hi Mat, You may want to write it like this: tcp-request connection reject unless { src -f /etc/haproxy/whitelist.lst } What type of content do you have in your whitelist file? Do you run HAProxy in multiprocess mode? note: the whitelist applies to NEW connections, not to already established ones. Baptiste