Hi,

I have a setup with multiple domains that resolve to a single public IP address, with https handled by haproxy using SNI feeding an apache http backend using name-base virtual hosting. Access to some (but not all) of the virtual hosts should be restricted to a list of ip address ranges.

I'd like to use ipsets for this access control, because they are convenient to set up and maintain, and because they've been working great in other setups where I use them from iptables. But iptables won't work in this virtual hosting setup where only SNI distinguishes the virtual hosts.

So far I haven't found a way to get either haproxy or apache to use ipset ACLs. In theory it seems this should be possible:

http://ipset.netfilter.org/libipset.man.html

I'm wondering:

*) Is there a reason why haproxy has not (AFAICT) implemented ipset ACLs? Like, maybe it would be horribly inefficient or something?

* Ditto for apache... perhaps same reason?

* Am I wrong, is there in fact a way to use ipset ACLs with haproxy or apache? (That would be great!)

* How do others handle such virtual hosting situations with differing ACL requirements? I suppose canonical ways are haproxy src ACL or apache require ip. Both seem (to me) to be less flexible and harder to maintain than ipsets. I think I can still use ipsets from iptables in this virtual hosting setup by using additional public IP addresses or nonstandard ports.

Thanks,
Frank

P.S. I did search before posting and came up empty. I apologize if my questions have well-known obvious answers. If you can provide a link I'll be delighted to read! Thanks!

Reply via email to