Hi Errikos,
On 26/03/2018 13:03, Errikos Koen wrote: > Hello, > > I have a frontend whitelisted by IP with the following rules: > > acl whitelist src -f /etc/haproxy/whitelist.lst > tcp-request connection reject unless whitelist > > and while documentation > <https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4.2-tcp-request%20connection> > suggests > I would be able to see the rejected connections counted in stats > (quote: they are accounted separately for in the stats, as "denied > connections"), those are stuck at 0. > > The whitelist appears to be working ok, making a request from a non > whitelisted IP results in: > > $ curl -v http://hostname > * About to connect() to hostname port 80 (#0) > * Trying xxx.xxx.xxx.xxx... > * connected > * Connected to hostname (xxx.xxx.xxx.xxx) port 80 (#0) > > GET / HTTP/1.1 > > User-Agent: curl/7.26.0 > > Host: hostname > > Accept: */* > > > * additional stuff not fine transfer.c:1037: 0 0 > * Recv failure: Connection reset by peer > * Closing connection #0 > curl: (56) Recv failure: Connection reset by peer > > and whitelisted IPs work ok. > > I am running a self compiled haproxy 1.8.4 (with make options > USE_PCRE=1 TARGET=linux2628 USE_OPENSSL=1 USE_ZLIB=1 USE_SYSTEMD=1) on > Debian 8 with 3.16.0-5-amd64 kernel. > > Any ideas? > > Thanks > -- > Errikos Koen, > Cloud Architect > www.pamediakopes.gr <http://www.pamediakopes.gr> It works for me using the same version and build options. Maybe you are looking to the wrong counter. The one in the stats page is about "denied requests" (this is about http requests) while you should be looking for "denied connections", you can find more about this here: https://cbonte.github.io/haproxy-dconv/1.8/management.html#9.1 According to the doc, the "denied connections" is the 81th field (counting from 0) so using the following command will help track the counter: watch 'echo "show stat" | socat stdio < haproxy-socket-path > | cut -d "," -f 1-2,82 | column -s, -t' ++ -- Moemen MHEDHBI
