Re: Block clients based on header in real time?
Hello, Pass these time, i return to this situation. I try to implement in this stick table a white and black list, one solution is based on storing the ips and play with setting data.gpc0 1 or 0, ok, it work, but the problem is now with networks. The first isue is with the stick-table, this table is for store ips, not for a subnet or a pice of it. For these reason, the first thing is to change type ip to type sting. Now, the only workaround for match a subnet is storing it in a format like match a 8/16/24 mask: 60.40.0 32.11 44 Well, now i can store what i want: # table: name-of-back1, type: string, size:1048576, used:2 0x21559c4: key=10.0.0 use=0 exp=0 gpc0=1 0x2155a94: key=10.0.0.1 use=0 exp=0 gpc0=0 In this example, i want to deny all 10.0.0.0/24 network except for the host 10.0.0.1. But the problem now is match these situation, whit this code: tcp-request content track-sc1 req.hdr(True-Client-IP,1) http-request deny if { sc1_get_gpc0 gt 0 } Only work if the exact content is match in the header True-Client-IP, thing that is impossible in the case of networks. I find in the doc the hdr_beg but over it have the text ACL Derivates, and i can't release a valid configuration working with it in my test. ¿Is i tpossible to do that, match the first characters of the track header? ¿any example conf with hdr_beg running in a tcp-request line? Thanks, De: Ricardo Fraile rfra...@yahoo.es Para: Baptiste bed...@gmail.com CC: haproxy@formilux.org haproxy@formilux.org Enviado: Miércoles 12 de junio de 2013 11:03 Asunto: Re: Block clients based on header in real time? Fantastic! Whith this conf, now, i can update the list with a simple: # echo set table name-of-the-table key 10.0.0.1 data.gpc0 1 | socat stdio /var/run/haproxy.sock And with a curl: $ curl -I 127.0.0.1:80 -H True-Client-IP: 10.0.0.1 HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close Content-Type: text/html But one question more, if i need to block a subnet, how can i do it? I try to store: echo set table name-of-the-table key 10.0.0.0/8 data.gpc0 1 | socat stdio /var/run/haproxy.sock but not work, and the same with only 10. in the same place of 10.0.0.0/8 but nothing. Thanks, De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Sábado 8 de junio de 2013 8:40 Asunto: Re: Block clients based on header in real time? Hi Ricardo, Actually, this is how I would do the conf: stick-table type ip size 1m store gpc0 tcp-request content track-sc1 req.hdr_ip(True-Client-IP) http-request deny if { sc1_get_gpc0 gt 0 } Then you can insert new data in the stick table using HAProxy UNIX socket (which can run over TCP) with: set table table key key data.data_type value In example, to block 10.0.0.1: set table mybackend key 1.0.0.1 data.gpc0 1 And you're done. Here is the result when I test it with curl on my laptop: $ curl 127.0.0.1:8080 -H True-Client-IP: 10.0.0.1 htmlbodyh1403 Forbidden/h1 Request forbidden by administrative rules. /body/html $ curl 127.0.0.1:8080 htmlbodyh1503 Service Unavailable/h1 No server is available to handle this request. /body/html Baptiste On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: Block clients based on header in real time?
Fantastic! Whith this conf, now, i can update the list with a simple: # echo set table name-of-the-table key 10.0.0.1 data.gpc0 1 | socat stdio /var/run/haproxy.sock And with a curl: $ curl -I 127.0.0.1:80 -H True-Client-IP: 10.0.0.1 HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close Content-Type: text/html But one question more, if i need to block a subnet, how can i do it? I try to store: echo set table name-of-the-table key 10.0.0.0/8 data.gpc0 1 | socat stdio /var/run/haproxy.sock but not work, and the same with only 10. in the same place of 10.0.0.0/8 but nothing. Thanks, De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Sábado 8 de junio de 2013 8:40 Asunto: Re: Block clients based on header in real time? Hi Ricardo, Actually, this is how I would do the conf: stick-table type ip size 1m store gpc0 tcp-request content track-sc1 req.hdr_ip(True-Client-IP) http-request deny if { sc1_get_gpc0 gt 0 } Then you can insert new data in the stick table using HAProxy UNIX socket (which can run over TCP) with: set table table key key data.data_type value In example, to block 10.0.0.1: set table mybackend key 1.0.0.1 data.gpc0 1 And you're done. Here is the result when I test it with curl on my laptop: $ curl 127.0.0.1:8080 -H True-Client-IP: 10.0.0.1 htmlbodyh1403 Forbidden/h1 Request forbidden by administrative rules. /body/html $ curl 127.0.0.1:8080 htmlbodyh1503 Service Unavailable/h1 No server is available to handle this request. /body/html Baptiste On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: Block clients based on header in real time?
Hi Ricardo, Actually, this is how I would do the conf: stick-table type ip size 1m store gpc0 tcp-request content track-sc1 req.hdr_ip(True-Client-IP) http-request deny if { sc1_get_gpc0 gt 0 } Then you can insert new data in the stick table using HAProxy UNIX socket (which can run over TCP) with: set table table key key data.data_type value In example, to block 10.0.0.1: set table mybackend key 1.0.0.1 data.gpc0 1 And you're done. Here is the result when I test it with curl on my laptop: $ curl 127.0.0.1:8080 -H True-Client-IP: 10.0.0.1 htmlbodyh1403 Forbidden/h1 Request forbidden by administrative rules. /body/html $ curl 127.0.0.1:8080 htmlbodyh1503 Service Unavailable/h1 No server is available to handle this request. /body/html Baptiste On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: Block clients based on header in real time?
Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: Block clients based on header in real time?
I continue trying configurations, looking in the list and some blogs, but i can't ban ips from a stick table or i don't know how. The last that i try: backend host:80 stick-table type ip size 1m store gpc0 http-request deny if hdr_sub(True-Client-IP) #How i check here if the True-Client-IP is inside the stick-table? In the table, i put the ips by hand, it looks like this: show table host # table: back-idealista.es-http, type: ip, size:1048576, used:2 0xcae6c4: key=192.168.1.5 use=0 exp=0 gpc0=1 0xcdac34: key=192.168.1.6 use=0 exp=0 gpc0=1 The more similar is this message in the list: http://comments.gmane.org/gmane.comp.web.haproxy/9938 but the problem is that there the ip of the client is inside a header. Thanks, - Mensaje original - De: Ricardo Fraile rfra...@yahoo.es Para: haproxy@formilux.org haproxy@formilux.org CC: Enviado: Jueves 30 de Mayo de 2013 12:50 Asunto: Re: Block clients based on header in real time? Hello, Ok, i update the server to 1.5 version but i have some troubles between stick-table and the acl. Before, i had: listen host1 *:80 ... mode http acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst block if block_invalid_client ... Now, i try to change the file to a stick table: backend host1 ... stick-table type ip size 1m store gpc0 acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) } http-request deny if block_invalid_client ... But not work: error detected while parsing ACL 'block_invalid_client' : '{' is not a valid IPv4 or IPv6 address. error detected while parsing an 'http-request deny' condition : no such ACL : 'block_invalid_client'. ¿Is it possible to match http header inside an acl to a stick table? Thanks, - Mensaje original - De: Baptiste bed...@gmail.com Para: Ricardo Fraile rfra...@yahoo.es CC: haproxy@formilux.org haproxy@formilux.org Enviado: Miércoles 29 de Mayo de 2013 14:51 Asunto: Re: Block clients based on header in real time? Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Block clients based on header in real time?
Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: Block clients based on header in real time?
Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,