On Mon, 22 Jun 2020 at 20:16, Tim Düsterhus <t...@bastelstu.be> wrote: > This off-the-shelf PHP application has an integrated admin control panel > within the /admin/ directory. The frontend consists of several "old > style" PHP files, handling the various paths (e.g. login.php, > register.php, create-thread.php). During upgrades of this off-the-shelf > software new files might be added for new features. > > My boss asked me to restrict the access to the admin control panel to > our internal network (192.168.0.0/16) for security reasons. Access to > the user frontend files must not be restricted.
If I were solving this problem solely at the haproxy layer, I'd do something like this: acl internal_net src 192.168.0.0/16 acl admin_request path_beg /admin/ http-request deny if admin_request !internal_net Though by preference I'd put app policy logic as close to, or best of all inside, the app itself; which would have X-Forwarded-For implications. I may have misunderstood your question though! I'm intrigued by what common problems you foresee here. I suppose the Front Controller pattern might be ... interesting to deal with? J -- Jonathan Matthews London, UK https://jpluscplusm.com
