Hi, I have other problem. I want to only allow some ip access my website. Please show me how to allow some IP by domain name.
I try with: tcp-request connection reject if { hdr(host) crmone.thaison.vn } !{ src x.x.x.x x.x.x.y } but it’s not work. I get error message: keyword 'hdr' which is incompatible with 'frontend tcp-request connection rule' I try with some other keyword but not successful. -----Original Message----- From: Aleksandar Lazic <al-hapr...@none.at> Sent: Monday, January 14, 2019 5:20 PM To: Vũ Xuân Học <ho...@thaison.vn>; haproxy@formilux.org; 'PiBa-NL' <piba.nl....@gmail.com> Subject: Re: Get client IP Hi. Am 14.01.2019 um 03:11 schrieb Vũ Xuân Học: > Hi, > > > > I don’t know how to use ssl in http mode. I have many site with many > certificate. > > As you see: > > … > > bind 192.168.0.4:443 (I NAT port 443 from firewall to HAProxy IP > 192.168.0.4) > > … > > # Define hosts > > acl host_1 req.ssl_sni -i ebh.vn > > acl host_2 req.ssl_sni hdr_end(host) -i einvoice.com.vn > > … (many acl like above) > > > use_backend eBH if host_1 > > use_backend einvoice443 if host_2 You can use maps for this. https://www.haproxy.com/blog/introduction-to-haproxy-maps/ The openshift router have a complex but usable solution. Don't get confused with the golang template stuff in there. https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L180 https://github.com/openshift/router/blob/master/images/router/haproxy/conf/haproxy-config.template#L198 Regards Aleks > *From:* Aleksandar Lazic <al-hapr...@none.at> > *Sent:* Monday, January 14, 2019 8:45 AM > *To:* haproxy@formilux.org; Vũ Xuân Học <ho...@thaison.vn>; 'PiBa-NL' > <piba.nl....@gmail.com> > *Subject:* RE: Get client IP > > > > Hi. > > As you use IIS I strongly suggest to terminate the https on haproxy > and use mode http instead of tcp. > > Here is a blog post about basic setup of haproxy with ssl > > https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o > f-stunnel-stud-nginx-or-pound/ > > I assume that haproxy have the client ip as the setup works in the http > config. > > Best regards > Aleks > > ---------------------------------------------------------------------- > ---------- > > *Von:*"Vũ Xuân Học" <ho...@thaison.vn <mailto:ho...@thaison.vn>> > *Gesendet:* 14. Jänner 2019 02:17:23 MEZ > *An:* 'PiBa-NL' <piba.nl....@gmail.com > <mailto:piba.nl....@gmail.com>>, 'Aleksandar Lazic' > <al-hapr...@none.at <mailto:al-hapr...@none.at>>, haproxy@formilux.org > <mailto:haproxy@formilux.org> > *Betreff:* RE: Get client IP > > > > Thanks for your help > > > > I try config HAProxy with accept-proxy like this: > > frontend ivan > > > > bind 192.168.0.4:443 accept-proxy > > mode tcp > > option tcplog > > > > #option forwardfor > > > > reqadd X-Forwarded-Proto:\ https > > > > then my website can not access. > > I use IIS as webserver and I don’t know how to accept proxy, I only > know config X-Forwarded-For like this > > http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/ > > > > > > *From:* PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>> > *Sent:* Sunday, January 13, 2019 10:06 PM > *To:* Aleksandar Lazic <al-hapr...@none.at > <mailto:al-hapr...@none.at>>; Vũ Xuân Học <ho...@thaison.vn > <mailto:ho...@thaison.vn>>; haproxy@formilux.org > <mailto:haproxy@formilux.org> > *Subject:* Re: Get client IP > > > > Hi, > > Op 13-1-2019 om 13:11 schreef Aleksandar Lazic: > > Hi. > > > > Am 13.01.2019 um 12:17 schrieb Vũ Xuân Học: > > Hi, > > > > Please help me to solve this problem. > > > > I use HAProxy version 1.5.18, SSL transparent mode and I can > not get client IP > > in my .net mvc website. With mode http, I can use option > forwardfor to catch > > client ip but with tcp mode, my web read X_Forwarded_For is null. > > > > > > > > My diagram: > > > > Client => Firewall => HAProxy => Web > > > > > > > > I read HAProxy document, try to use send-proxy. But when use > send-proxy, I can > > access my web. > > > > This is my config: > > > > frontend test2233 > > > > bind *:2233 > > > > option forwardfor > > > > > > > > default_backend testecus > > > > backend testecus > > > > mode http > > > > server web1 192.168.0.151:2233 check > > > > Above config work, and I can get the client IP > > > > That's good as it's `mode http` therefore haproxy can see the http > traffic. > > Indeed it can insert the http forwardfor header with 'mode http'. > > > > > > Config with SSL: > > > > frontend ivan > > > > bind 192.168.0.4:443 > > mode tcp > > option tcplog > > > > #option forwardfor > > > > reqadd X-Forwarded-Proto:\ https > > > > This can't work as you use `mode tcp` and therefore haproxy can't > see the http > > traffic. > > > > From my point of view have you now 2 options. > > > > * use https termination on haproxy. Then you can add this http header. > > Thats one option indeed. > > > > * use accept-proxy in the bind line. This option requires that the > firewall is > > able to send the PROXY PROTOCOL header to haproxy. > > > https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.1-acce > pt-proxy > > I dont expect a firewall to send such a header. And if i understand > correctly the 'webserver' would need to be configured to accept > proxy-protocol. > The modification to make in haproxy would be to configure > send-proxy[-v2-ssl-cn] > http://cbonte.github.io/haproxy-dconv/1.9/snapshot/configuration.html# > 5.2-send-proxy And how to configure it with for example nginx: > https://wakatime.com/blog/23-how-to-scale-ssl-with-haproxy-and-nginx > > > > > > The different modes are described in the doc > > > https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#4-mode > > > > Here is a blog post about basic setup of haproxy with ssl > > > https://www.haproxy.com/blog/how-to-get-ssl-with-haproxy-getting-rid-o > f-stunnel-stud-nginx-or-pound/ > > > > acl tls req.ssl_hello_type 1 > > > > tcp-request inspect-delay 5s > > > > tcp-request content accept if tls > > > > > > > > # Define hosts > > > > acl host_1 req.ssl_sni -i ebh.vn > > > > acl host_2 req.ssl_sni hdr_end(host) -i > einvoice.com.vn > > > > > > > > use_backend eBH if host_1 > > > > use_backend einvoice443 if host_2 > > > > > > > > backend eBH > > > > mode tcp > > > > balance roundrobin > > > > option ssl-hello-chk > > > > server web1 192.168.0.153:443 maxconn 30000 check > #cookie web1 > > > > server web1 192.168.0.154:443 maxconn 30000 check > #cookie web2 > > > > > > > > Above config doesn’t work, and I can not get the client ip. I > try server web1 > > 192.168.0.153:443 send-proxy and try server web1 > 192.168.0.153:443 send-proxy-v2 > > but I can’t access my web. > > > > This is expected as the Firewall does not send the PROXY PROTOCOL > header and the > > bind line is not configured for that. > > Firewall's by themselves will never use proxy-protocol at all. That it > doesn't work with send-proxy on the haproxy server line is likely > because the webservice that is receiving the traffic isn't configured > to accept the proxy protocol. How to configure a ".net mvc website" to > accept that is something i don't know if it is even possible at all.. > > > > > > Many thanks, > > > > Best regards > > Aleks > > > > Thanks & Best Regards! > > **************************** > > * VU XUAN HOC > > > > Regards, > PiBa-NL (Pieter) >