Re: read ACL to block ip's from file to prevent DDoS?
Hello, First of all, congratulations, I think modify ACL in runtime within reload all daemon configuration is a big HIT. For other hand, I applied ipabuser cal with keymap managing it with socat and it works fine, but it is NOT permanent when daemon is restarted. it could be an option for this but i'm not sure, do you know it? Furthermore, I'm interesting in dynamic ACL, what's this? Could you explain more? Thanks in advance, Marc
Re: read ACL to block ip's from file to prevent DDoS?
Hi, awesome ! thanks for the help, i'm gonna try it asap :D Regards. 2014/1/15 Thierry FOURNIER tfourn...@exceliance.fr: Hi, Now you can use map for your needs. The maps can be manipulated via the stats socket. The identifier of the map is the file name: acl abuser src,map_ip_int(abusers.lst,0) -m int eq 1 http-request tarpit if abuser The file abusers.lst is empty file, or contain the known blocked IP. During the run of haproxy, you can block one ip addres with this command: echo add map abusers.lst 10.0.3.7 1 | socat - unix:/tmp/haproxy You can release the ip with this command: echo del map abusers.lst 10.0.3.7 | socat - unix:/tmp/haproxy For information, I'm actually working on dynamic ACL. Thierry On Sat, 11 Jan 2014 21:45:45 -0200 david rene comba lareu shadow.of.sou...@gmail.com wrote: Hi, i'm trying to automatize a DDoS protection into our current server structure, there is any way to load the ACL to block ip's through a file so i could update it via code? need to restart/reload haproxy each time i add an ip? i'm open to any suggestions if anyone has any better method for this. Regards.
Re: read ACL to block ip's from file to prevent DDoS?
Hi David, You can tell HAProxy to load IPs from a file in a acl. IE: acl abuser src -f /etc/haproxy/abusers.lst And place one IP per line in the abusers.lst file. Hope this helps. Baptiste On Sun, Jan 12, 2014 at 12:45 AM, david rene comba lareu shadow.of.sou...@gmail.com wrote: Hi, i'm trying to automatize a DDoS protection into our current server structure, there is any way to load the ACL to block ip's through a file so i could update it via code? need to restart/reload haproxy each time i add an ip? i'm open to any suggestions if anyone has any better method for this. Regards.
