<Sending again to list, accidentally replied to Alex in private> Hi Alex,
you can totally do something like that with some preparations. We use the following setup: 1. We have a "tarpit" backend: backend tarpit timeout tarpit 30s reqtarpit 2. In our config, we have a permanent rules like this: acl blacklisted-cidr req.hdr_ip(X-Real-IP) -f tarpit-cidr.lst use_backend tarpit if blacklisted-cidr The file tarpit-cidr.lst can contain a list of IP addresses to block, however ours is usually empty, instead we apply blocks via the admin socket by running an admin socket command like: add acl tarpit-cidr.lst <IP> Note that this might be a little different from what you require. First, if you want to block right away, you might want to use something different as a backend, but using a dedicated backend probably makes sense for you as well. Gives you stats and everything. Also, we look at the X-Real-IP header because we get the traffic from our CDN (which we can trust to set that header). You might want to change that to look at `src` like in your example. But otherwise, should work the same. Also, please note that when using the admin interface to add IPs to the ACL, these will get lost during a restart (unless you also write them to the file itself). Hope that helps, Conrad On 01/25/2017 07:06 PM, Alexey Zilber wrote: > Hi All, > > Is there way to do something like this from the admin socket: > > acl bad_ip src 184.66.248.33 > > tcp-request connection reject if bad_ip > > > Thanks! > > Alex > -- Conrad Hoffmann Traffic Engineer SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany Managing Director: Alexander Ljung | Incorporated in England & Wales with Company No. 6343600 | Local Branch Office | AG Charlottenburg | HRB 110657B