Re: Block clients based on header in real time?
Hello,
Pass these time, i return to this situation.
I try to implement in this stick table a white and black list, one solution is
based on storing the ips and play with setting data.gpc0 1 or 0, ok, it work,
but the problem is now with networks.
The first isue is with the stick-table, this table is for store ips, not for a
subnet or a pice of it. For these reason, the first thing is to change type
ip to type sting.
Now, the only workaround for match a subnet is storing it in a format like
match a 8/16/24 mask:
60.40.0
32.11
44
Well, now i can store what i want:
# table: name-of-back1, type: string, size:1048576, used:2
0x21559c4: key=10.0.0 use=0 exp=0 gpc0=1
0x2155a94: key=10.0.0.1 use=0 exp=0 gpc0=0
In this example, i want to deny all 10.0.0.0/24 network except for the host
10.0.0.1. But the problem now is match these situation, whit this code:
tcp-request content track-sc1 req.hdr(True-Client-IP,1)
http-request deny if { sc1_get_gpc0 gt 0 }
Only work if the exact content is match in the header True-Client-IP, thing
that is impossible in the case of networks.
I find in the doc the hdr_beg but over it have the text ACL Derivates, and
i can't release a valid configuration working with it in my test.
¿Is i tpossible to do that, match the first characters of the track header?
¿any example conf with hdr_beg running in a tcp-request line?
Thanks,
De: Ricardo Fraile rfra...@yahoo.es
Para: Baptiste bed...@gmail.com
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Miércoles 12 de junio de 2013 11:03
Asunto: Re: Block clients based on header in real time?
Fantastic!
Whith this conf, now, i can update the list with a simple:
# echo set table name-of-the-table key 10.0.0.1 data.gpc0 1 | socat stdio
/var/run/haproxy.sock
And with a curl:
$ curl -I 127.0.0.1:80 -H True-Client-IP: 10.0.0.1
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
But one question more, if i need to block a subnet, how can i do it? I try to
store:
echo set table name-of-the-table key 10.0.0.0/8 data.gpc0 1 | socat stdio
/var/run/haproxy.sock
but not work, and the same with only 10. in the same place of 10.0.0.0/8
but nothing.
Thanks,
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Sábado 8 de junio de 2013 8:40
Asunto: Re: Block clients based on header in real time?
Hi Ricardo,
Actually, this is how I would do the conf:
stick-table type ip
size 1m store gpc0
tcp-request content track-sc1 req.hdr_ip(True-Client-IP)
http-request deny if { sc1_get_gpc0 gt 0 }
Then you can insert new data in the stick table using HAProxy UNIX
socket (which can run over TCP) with:
set table table key key data.data_type value
In example, to block 10.0.0.1:
set table mybackend key 1.0.0.1 data.gpc0 1
And you're done.
Here is the result when I test it with curl on my laptop:
$ curl 127.0.0.1:8080 -H True-Client-IP: 10.0.0.1
htmlbodyh1403 Forbidden/h1
Request forbidden by administrative rules.
/body/html
$ curl 127.0.0.1:8080
htmlbodyh1503 Service Unavailable/h1
No server is available to handle this request.
/body/html
Baptiste
On Thu, May 30, 2013 at
12:50 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
Ok, i update the server to 1.5 version but i have some troubles between
stick-table and the acl.
Before, i had:
listen host1 *:80
...
mode http
acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
block if block_invalid_client
...
Now, i try to change the file to a stick table:
backend host1
...
stick-table type ip size 1m store gpc0
acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
http-request deny if block_invalid_client
...
But not work:
error detected while parsing ACL 'block_invalid_client' : '{' is not a
valid IPv4 or IPv6 address.
error detected while parsing an 'http-request deny' condition : no such
ACL : 'block_invalid_client'.
¿Is it possible to match http header inside an acl to a stick table?
Thanks,
- Mensaje original -
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?
Hi,
With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.
Baptiste
On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
I'm looking for a solution for blocking users based on a header,
x-forwarded-for. I have yet an acl for this but is it possible to update the
list of ips without restart haproxy?
Thanks,
Re: Block clients based on header in real time?
Fantastic!
Whith this conf, now, i can update the list with a simple:
# echo set table name-of-the-table key 10.0.0.1 data.gpc0 1 | socat stdio
/var/run/haproxy.sock
And with a curl:
$ curl -I 127.0.0.1:80 -H True-Client-IP: 10.0.0.1
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
But one question more, if i need to block a subnet, how can i do it? I try to
store:
echo set table name-of-the-table key 10.0.0.0/8 data.gpc0 1 | socat stdio
/var/run/haproxy.sock
but not work, and the same with only 10. in the same place of 10.0.0.0/8
but nothing.
Thanks,
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Sábado 8 de junio de 2013 8:40
Asunto: Re: Block clients based on header in real time?
Hi Ricardo,
Actually, this is how I would do the conf:
stick-table type ip size 1m store gpc0
tcp-request content track-sc1 req.hdr_ip(True-Client-IP)
http-request deny if { sc1_get_gpc0 gt 0 }
Then you can insert new data in the stick table using HAProxy UNIX
socket (which can run over TCP) with:
set table table key key data.data_type value
In example, to block 10.0.0.1:
set table mybackend key 1.0.0.1 data.gpc0 1
And you're done.
Here is the result when I test it with curl on my laptop:
$ curl 127.0.0.1:8080 -H True-Client-IP: 10.0.0.1
htmlbodyh1403 Forbidden/h1
Request forbidden by administrative rules.
/body/html
$ curl 127.0.0.1:8080
htmlbodyh1503 Service Unavailable/h1
No server is available to handle this request.
/body/html
Baptiste
On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
Ok, i update the server to 1.5 version but i have some troubles between
stick-table and the acl.
Before, i had:
listen host1 *:80
...
mode http
acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
block if block_invalid_client
...
Now, i try to change the file to a stick table:
backend host1
...
stick-table type ip size 1m store gpc0
acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
http-request deny if block_invalid_client
...
But not work:
error detected while parsing ACL 'block_invalid_client' : '{' is not a
valid IPv4 or IPv6 address.
error detected while parsing an 'http-request deny' condition : no such
ACL : 'block_invalid_client'.
¿Is it possible to match http header inside an acl to a stick table?
Thanks,
- Mensaje original -
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?
Hi,
With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.
Baptiste
On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
I'm looking for a solution for blocking users based on a header,
x-forwarded-for. I have yet an acl for this but is it possible to update the
list of ips without restart haproxy?
Thanks,
Re: Block clients based on header in real time?
Hi Ricardo,
Actually, this is how I would do the conf:
stick-table type ip size 1m store gpc0
tcp-request content track-sc1 req.hdr_ip(True-Client-IP)
http-request deny if { sc1_get_gpc0 gt 0 }
Then you can insert new data in the stick table using HAProxy UNIX
socket (which can run over TCP) with:
set table table key key data.data_type value
In example, to block 10.0.0.1:
set table mybackend key 1.0.0.1 data.gpc0 1
And you're done.
Here is the result when I test it with curl on my laptop:
$ curl 127.0.0.1:8080 -H True-Client-IP: 10.0.0.1
htmlbodyh1403 Forbidden/h1
Request forbidden by administrative rules.
/body/html
$ curl 127.0.0.1:8080
htmlbodyh1503 Service Unavailable/h1
No server is available to handle this request.
/body/html
Baptiste
On Thu, May 30, 2013 at 12:50 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
Ok, i update the server to 1.5 version but i have some troubles between
stick-table and the acl.
Before, i had:
listen host1 *:80
...
mode http
acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
block if block_invalid_client
...
Now, i try to change the file to a stick table:
backend host1
...
stick-table type ip size 1m store gpc0
acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
http-request deny if block_invalid_client
...
But not work:
error detected while parsing ACL 'block_invalid_client' : '{' is not a
valid IPv4 or IPv6 address.
error detected while parsing an 'http-request deny' condition : no such
ACL : 'block_invalid_client'.
¿Is it possible to match http header inside an acl to a stick table?
Thanks,
- Mensaje original -
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?
Hi,
With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.
Baptiste
On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
I'm looking for a solution for blocking users based on a header,
x-forwarded-for. I have yet an acl for this but is it possible to update the
list of ips without restart haproxy?
Thanks,
Re: Block clients based on header in real time?
Hello,
Ok, i update the server to 1.5 version but i have some troubles between
stick-table and the acl.
Before, i had:
listen host1 *:80
...
mode http
acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
block if block_invalid_client
...
Now, i try to change the file to a stick table:
backend host1
...
stick-table type ip size 1m store gpc0
acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
http-request deny if block_invalid_client
...
But not work:
error detected while parsing ACL 'block_invalid_client' : '{' is not a
valid IPv4 or IPv6 address.
error detected while parsing an 'http-request deny' condition : no such ACL
: 'block_invalid_client'.
¿Is it possible to match http header inside an acl to a stick table?
Thanks,
- Mensaje original -
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?
Hi,
With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.
Baptiste
On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
I'm looking for a solution for blocking users based on a header,
x-forwarded-for. I have yet an acl for this but is it possible to update the
list of ips without restart haproxy?
Thanks,
Re: Block clients based on header in real time?
I continue trying configurations, looking in the list and some blogs, but i
can't ban ips from a stick table or i don't know how. The last that i try:
backend host:80
stick-table type ip size 1m store gpc0
http-request deny if hdr_sub(True-Client-IP) #How i check here if the
True-Client-IP is inside the stick-table?
In the table, i put the ips by hand, it looks like this:
show table host
# table: back-idealista.es-http, type: ip, size:1048576, used:2
0xcae6c4: key=192.168.1.5 use=0 exp=0 gpc0=1
0xcdac34: key=192.168.1.6 use=0 exp=0 gpc0=1
The more similar is this message in the list:
http://comments.gmane.org/gmane.comp.web.haproxy/9938 but the problem is that
there the ip of the client is inside a header.
Thanks,
- Mensaje original -
De: Ricardo Fraile rfra...@yahoo.es
Para: haproxy@formilux.org haproxy@formilux.org
CC:
Enviado: Jueves 30 de Mayo de 2013 12:50
Asunto: Re: Block clients based on header in real time?
Hello,
Ok, i update the server to 1.5 version but i have some troubles between
stick-table and the acl.
Before, i had:
listen host1 *:80
...
mode http
acl block_invalid_client hdr_sub(True-Client-IP) -f true-client-ip.lst
block if block_invalid_client
...
Now, i try to change the file to a stick table:
backend host1
...
stick-table type ip size 1m store gpc0
acl block_invalid_client hdr_ip(True-Client-IP) -- { stick match(host1) }
http-request deny if block_invalid_client
...
But not work:
error detected while parsing ACL 'block_invalid_client' : '{' is not a
valid IPv4 or IPv6 address.
error detected while parsing an 'http-request deny' condition : no such ACL
: 'block_invalid_client'.
¿Is it possible to match http header inside an acl to a stick table?
Thanks,
- Mensaje original -
De: Baptiste bed...@gmail.com
Para: Ricardo Fraile rfra...@yahoo.es
CC: haproxy@formilux.org haproxy@formilux.org
Enviado: Miércoles 29 de Mayo de 2013 14:51
Asunto: Re: Block clients based on header in real time?
Hi,
With latest HAProxy version, you could use a stick table and insert
IPs in the stick table through HAProxy socket.
Then you can ban all IPs from the stick table.
Baptiste
On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote:
Hello,
I'm looking for a solution for blocking users based on a header,
x-forwarded-for. I have yet an acl for this but is it possible to update the
list of ips without restart haproxy?
Thanks,
Block clients based on header in real time?
Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
Re: Block clients based on header in real time?
Hi, With latest HAProxy version, you could use a stick table and insert IPs in the stick table through HAProxy socket. Then you can ban all IPs from the stick table. Baptiste On Wed, May 29, 2013 at 1:05 PM, Ricardo Fraile rfra...@yahoo.es wrote: Hello, I'm looking for a solution for blocking users based on a header, x-forwarded-for. I have yet an acl for this but is it possible to update the list of ips without restart haproxy? Thanks,
