Adam Thanks, that would be very helpful. I was thinking there should be something in Zookeeper configuration itself
-Thanks -----Original Message----- From: Adam Milne-Smith [mailto:[email protected]] Sent: Friday, February 05, 2016 2:22 PM To: [email protected] Subject: Re: Can we restrict any client connections to Zookeeper ensemble I've been looking to do the same thing so have started running a HAProxy on each ZooKeeper host in transparent tcp mode in front of the ZooKeeper client port. The choice of transparent mode was so that I can still map session activity to source IP in ZooKeeper. HAProxy will spoof the client ip so the ZooKeeper is none the wiser that HAProxy sits in between. It requires some iptables, ip rules and ip route config to direct outgoing packets from ZooKeeper back through the HAProxy. This allows for blacklisting ips and protecting against DOS attacks by rate limiting new connections by IP and by block connections from bad actors that are too write intensive. If this sounds like a useful to anyone I can outline the approach in a bit more detail. Thanks, Adam On 5 Feb 2016 19:07, "Talluri, Chandra" <[email protected]> wrote: > > Is it possible to restrict any client connections to Zookeeper ensemble based > on IP address. Not just setting Acl's on znode? > > (i.e) I should be able to connect to zookeeper ensemble either using zkCli.sh > or any client only from certain ip addresses > > -Thanks in advance
