Re: TCP ACL rules based on host name

Wed, 04 Oct 2017 16:53:22 -0700 

Le 22/09/2017 à 03:13, rt3p95qs a écrit :
Is it possible to assign TCP (no HTTP) connections to a backend based on an alias haproxy has? 

For example:

HAProxy has 3 alias names, server01.example.com 
<http://server01.example.com>, server02.example.com 
<http://server02.example.com> and server03.example.com 
<http://server03.example.com>.


The haproxy.conf file defines a front end and 3 back ends:

frontend static-svc
   bind *:80
   mode tcp
   option tcplog
   default_backend svc-svc-default


backend stactic-svc01
    balance source
    option tcplog
    server server01 127.0.0.1 check

backend static-svc02
    balance source
    option tcplog
    server server02 127.0.0.2 check

backend static-svc03
    balance source
    option tcplog
    server server03 127.0.0.3 check


The idea being that each static-service should only service in coming 
requests thru a specific alias; therefore, requests coming from the 
internet looking for server01.example.com 
<http://server01.example.com> would be sent to the static-svc01 back 
end. I have seen tons of examples on how to do this with HTTP, but I 
can't find any that focus on pure TCP. My application does not use 
HTTP at all.


Thanks.


Hello,


sorry if i'm wrong but server name is not part of TCP , TCP only knows 
about IP and port, so you must have another protocol above TCP to adress 
server name. Natively Haproxy only knows about TCP and HTTP, if you know 
how works your protocol you can use :


tcp-request inspect-delay XX
tcp-request content capture <sample> len <length>

you can find what you can capture here :


Layer 4 : 
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.3
Layer 5 : 
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.4
Layer 6 : 
https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.5


At layer 6 you have the payload :

https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.5-req.payload

you can maybe use this to establish conditions.


Have a look at this thread also : 
https://www.mail-archive.com/[email protected]/msg25879.html




---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel 
antivirus Avast.
https://www.avast.com/antivirus






















					Reply via email to