RE: Using a Whitlist to Redirect Users not on the Whitelist
Hi Guys, I’m new to haproxy configurations and this may be a very sophomoric question but am hoping someone can give me some guidance. I have read through the documentation for haproxy 1.5.2 and haven’t seen a lot of info on using whitelist text files to allow traffic from specific originating CIDR subnets. I have a whitelist of subnets in a text file and want to redirect all traffic to a maintenance page other than the CIDR subnets in the whitelist.lst file. My whitelist.lst file is as follows… #Allowed Internal Subnets 10.0.0.0/22 172.31.0.0/16 10.1.4.1/22 10.24.8.0/24 10.24.32.0/23 10.24.48.0/24 10.24.56.0/24 172.20.208.0/24 172.24.132.0/22 172.24.152.0/22 172.24.160.0/22 172.24.248.0/24 172.24.64.0/22 172.27.128.0/24 192.168.169.0/24 I am using the following http-request statement http-request redirect location http://www.foo.com/maintenence unless { src -f /etc/haproxy/whitelist.lst } With this statement all traffic is being redirected whether the client IP is in the whitelisted text file of subnets or not. Is my format for the whitelist.lst file correct? Is there any special formatting I need for haproxy to read it? Is my http-request statement correct? Any thoughts on how I can get this to work the way I intend. From: JDzialo John [mailto:jdzi...@edrnet.com] Sent: Thursday, July 17, 2014 1:38 PM To: Jonathan Matthews; haproxy Subject: RE: Using a Whitlist to Redirect Users not on the Whitelist It was a method I found online without really understanding what X-Forwarded-For header does. Traffic does not pass through a reverse proxy before hitting HAProxy. It should be a direct hit from the client. Is there a header I can compare to our whitelist to reliably get all incoming traffic’s originating IP? REMOTE_ADDR, CLIENT_IP, etc? Thanks From: jonat...@jpluscplusm.commailto:jonat...@jpluscplusm.com [mailto:jonat...@jpluscplusm.com] On Behalf Of Jonathan Matthews Sent: Thursday, July 17, 2014 1:29 PM To: haproxy Subject: Re: Using a Whitlist to Redirect Users not on the Whitelist On 17 Jul 2014 18:15, JDzialo John jdzi...@edrnet.commailto:jdzi...@edrnet.com wrote: I am creating a whitelist of subnets allowed to access HAPROXY during maintenance. Basically I want to redirect everyone to our maintenance page other than users in the whitelisted file. This is not working and is forwarding everyone to the maintenance page despite being a member of a whitelisted subnet. (10.0.0.0/8http://10.0.0.0/8) Is using the hdr_ip(X-Forwarded-For) in the acl the way to go Unless your traffic is passing through another reverse proxy which inserts this header before it hits HAProxy, no. Why are you choosing to use that header?
Using a Whitlist to Redirect Users not on the Whitelist
Hi Guys, I am creating a whitelist of subnets allowed to access HAPROXY during maintenance. Basically I want to redirect everyone to our maintenance page other than users in the whitelisted file. Here is my config... frontend https-in bind *:443 ssl crt /etc/ssl/xxx..com.chain.pem reqadd X-Forwarded-Proto:https reqadd X-Forwarded-Port:443 timeout client 60 # Capture Headers capture request header If-Modified-Since len 50 capture request header X-Forwarded-For len 50 acl whitelist hdr_ip(X-Forwarded-For) -f /etc/haproxy/whitelist.lst redirect location http://www.mysite.com/maintenence if !whitelist default_backend web This is not working and is forwarding everyone to the maintenance page despite being a member of a whitelisted subnet. (10.0.0.0/8) Is using the hdr_ip(X-Forwarded-For) in the acl the way to go or is there a better way to redirect everyone but a few whitelisted subnets? Thanks in advance for any help you can offer. John Dzialo | Linux System Administrator Direct 203.783.8163 | Main 800.352.0050 Environmental Data Resources, Inc. 440 Wheelers Farms Road, Milford, CT 06461 www.edrnet.comhttp://www.edrnet.com/ | commonground.edrnet.comhttp://commonground.edrnet.com/ [Description: Description: Description: Description: Description: EDR_logo4color_EDR_only_80px2]
Re: Using a Whitlist to Redirect Users not on the Whitelist
On 17 Jul 2014 18:15, JDzialo John jdzi...@edrnet.com wrote: I am creating a whitelist of subnets allowed to access HAPROXY during maintenance. Basically I want to redirect everyone to our maintenance page other than users in the whitelisted file. This is not working and is forwarding everyone to the maintenance page despite being a member of a whitelisted subnet. (10.0.0.0/8) Is using the hdr_ip(X-Forwarded-For) in the acl the way to go Unless your traffic is passing through another reverse proxy which inserts this header before it hits HAProxy, no. Why are you choosing to use that header?
RE: Using a Whitlist to Redirect Users not on the Whitelist
It was a method I found online without really understanding what X-Forwarded-For header does. Traffic does not pass through a reverse proxy before hitting HAProxy. It should be a direct hit from the client. Is there a header I can compare to our whitelist to reliably get all incoming traffic’s originating IP? REMOTE_ADDR, CLIENT_IP, etc? Thanks From: jonat...@jpluscplusm.com [mailto:jonat...@jpluscplusm.com] On Behalf Of Jonathan Matthews Sent: Thursday, July 17, 2014 1:29 PM To: haproxy Subject: Re: Using a Whitlist to Redirect Users not on the Whitelist On 17 Jul 2014 18:15, JDzialo John jdzi...@edrnet.commailto:jdzi...@edrnet.com wrote: I am creating a whitelist of subnets allowed to access HAPROXY during maintenance. Basically I want to redirect everyone to our maintenance page other than users in the whitelisted file. This is not working and is forwarding everyone to the maintenance page despite being a member of a whitelisted subnet. (10.0.0.0/8http://10.0.0.0/8) Is using the hdr_ip(X-Forwarded-For) in the acl the way to go Unless your traffic is passing through another reverse proxy which inserts this header before it hits HAProxy, no. Why are you choosing to use that header?