Hi.

Am 27.05.2019 um 20:52 schrieb Frank Myhr:
> Hi,
> 
> I have a setup with multiple domains that resolve to a single public IP 
> address,
> with https handled by haproxy using SNI feeding an apache http backend using
> name-base virtual hosting. Access to some (but not all) of the virtual hosts
> should be restricted to a list of ip address ranges.
> 
> I'd like to use ipsets for this access control, because they are convenient to
> set up and maintain, and because they've been working great in other setups
> where I use them from iptables. But iptables won't work in this virtual 
> hosting
> setup where only SNI distinguishes the virtual hosts.
> 
> So far I haven't found a way to get either haproxy or apache to use ipset 
> ACLs.
> In theory it seems this should be possible:
> 
> http://ipset.netfilter.org/libipset.man.html
> 
> I'm wondering:
> 
> *) Is there a reason why haproxy has not (AFAICT) implemented ipset ACLs? 
> Like,
> maybe it would be horribly inefficient or something?
> 
> * Ditto for apache... perhaps same reason?
> 
> * Am I wrong, is there in fact a way to use ipset ACLs with haproxy or apache?
> (That would be great!)
> 
> * How do others handle such virtual hosting situations with differing ACL
> requirements? I suppose canonical ways are haproxy src ACL or apache require 
> ip.
> Both seem (to me) to be less flexible and harder to maintain than ipsets. I
> think I can still use ipsets from iptables in this virtual hosting setup by
> using additional public IP addresses or nonstandard ports.
> 
> Thanks,
> Frank
> 
> P.S. I did search before posting and came up empty. I apologize if my 
> questions
> have well-known obvious answers. If you can provide a link I'll be delighted 
> to
> read! Thanks!

I would use haproxies maps and runtime cli for your requirement instead of
iptables/ipset.

https://www.haproxy.com/blog/introduction-to-haproxy-maps/
https://www.haproxy.com/blog/dynamic-configuration-haproxy-runtime-api/
https://www.haproxy.com/blog/introduction-to-haproxy-acls/

I assume that a haproxy which is running in chrooted environment does not have
access to iptables but to the map files.

It would be also interesting which version of haproxy you have and how your
config looks like.

Best regards
Aleks

Reply via email to