Hi.
On 2025-05-19 (Mo.) 13:55, Maximilian Moehl wrote:
Hi,
we run HAProxy in front of a multi-tenant platform and want to allow users to
configure allow- /
deny-lists for their domains. The custom domains are implemented by updating
the crt-list to set
certificates and TLS configurations provided at runtime.
A simple IP allow-listing can be done like this:
acl allowlist src -f /usr/local/etc/haproxy/allowlist.txt
tcp-request connection accept if allowlist
But so far I haven't been able to find a way that dynamically loads the IP
list. For example (does
not work):
tcp-request session set-var(sess.allowlist)
ssl_fc_sni,map(/usr/local/etc/custom_allowlists)
acl allowlist src -f %[var(sess.allowlist)]
tcp-request session accept if allowlist
Plus some logic to test for non-existing lists, etc.
Any suggestions on how to make something like this work? Ideally we'd be able
to dynamically add /
remove those custom lists as custom domains come and go. Periodically reloading
the config does not
work for us as we have very long-running web-socket and gRPC connections, which
we don't want to
interrupt. With reloading we would be accumulating lots of old instances, which
we've had issues
with in the past.
So far, it seems like the only options would be custom LUA or SPOE.
I see two options :-) .
Runtime API directly
https://www.haproxy.com/blog/dynamic-configuration-haproxy-runtime-api
or
Dataplane API https://github.com/haproxytech/dataplaneapi
Thank you!
Regards
Max
Regards
Aleks
