<Sending again to list, accidentally replied to Alex in private>
Hi Alex,
you can totally do something like that with some preparations. We use the
following setup:
1. We have a "tarpit" backend:
backend tarpit
timeout tarpit 30s
reqtarpit
2. In our config, we have a permanent rules like this:
acl blacklisted-cidr req.hdr_ip(X-Real-IP) -f tarpit-cidr.lst
use_backend tarpit if blacklisted-cidr
The file tarpit-cidr.lst can contain a list of IP addresses to block,
however ours is usually empty, instead we apply blocks via the admin socket
by running an admin socket command like:
add acl tarpit-cidr.lst <IP>
Note that this might be a little different from what you require. First, if
you want to block right away, you might want to use something different as
a backend, but using a dedicated backend probably makes sense for you as
well. Gives you stats and everything.
Also, we look at the X-Real-IP header because we get the traffic from our
CDN (which we can trust to set that header). You might want to change that
to look at `src` like in your example. But otherwise, should work the same.
Also, please note that when using the admin interface to add IPs to the
ACL, these will get lost during a restart (unless you also write them to
the file itself).
Hope that helps,
Conrad
On 01/25/2017 07:06 PM, Alexey Zilber wrote:
> Hi All,
>
> Is there way to do something like this from the admin socket:
>
> acl bad_ip src 184.66.248.33
>
> tcp-request connection reject if bad_ip
>
>
> Thanks!
>
> Alex
>
--
Conrad Hoffmann
Traffic Engineer
SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany
Managing Director: Alexander Ljung | Incorporated in England & Wales
with Company No. 6343600 | Local Branch Office | AG Charlottenburg |
HRB 110657B
