I have a setup with multiple domains that resolve to a single public IP
address, with https handled by haproxy using SNI feeding an apache http
backend using name-base virtual hosting. Access to some (but not all) of
the virtual hosts should be restricted to a list of ip address ranges.
I'd like to use ipsets for this access control, because they are
convenient to set up and maintain, and because they've been working
great in other setups where I use them from iptables. But iptables won't
work in this virtual hosting setup where only SNI distinguishes the
So far I haven't found a way to get either haproxy or apache to use
ipset ACLs. In theory it seems this should be possible:
*) Is there a reason why haproxy has not (AFAICT) implemented ipset
ACLs? Like, maybe it would be horribly inefficient or something?
* Ditto for apache... perhaps same reason?
* Am I wrong, is there in fact a way to use ipset ACLs with haproxy or
apache? (That would be great!)
* How do others handle such virtual hosting situations with differing
ACL requirements? I suppose canonical ways are haproxy src ACL or apache
require ip. Both seem (to me) to be less flexible and harder to maintain
than ipsets. I think I can still use ipsets from iptables in this
virtual hosting setup by using additional public IP addresses or
P.S. I did search before posting and came up empty. I apologize if my
questions have well-known obvious answers. If you can provide a link
I'll be delighted to read! Thanks!