Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy backend whitelisting

    Scheduled Pinned Locked Moved Cache/Proxy
    haproxywhitelistblacklist
    9 Posts 2 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keystroke
      last edited by

      I have all of the source IP addresses listed in the ACL list for that specific backend, but a source IP address not on the list is still able to access that backend. I created one ACL entry that was 'is not 0.0.0.0' and an action that directed it to a dummy server, but that is not working.

      Any help would be greatly appreciated.

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @keystroke
        last edited by

        @keystroke
        What does your haproxy.cfg look like ?

        1 Reply Last reply Reply Quote 0
        • K
          keystroke
          last edited by 

          # Automaticaly generated, dont edit manually.
# Generated on: 2018-11-01 10:12
global
	maxconn			500
	log			/var/run/log	local0	debug
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	4096
	log-send-hostname		HaproxyMasterNode 
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend HTTP_Redirect_MCSBSEX-merged
	bind			MyIPAddress name MyIPAddress   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			Redirect	var(txn.txnhost) -m str -i exchange.mydomain.com
	acl			Redirect	var(txn.txnhost) -m str -i xx.mydomain.com
	acl			Redirect	var(txn.txnhost) -m str -i xy.mydomain.com
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect scheme https code 301  if  Redirect 
	default_backend dummy_ipvANY
	default_backend dummy_ipvANY
	default_backend dummy_ipvANY

frontend MCSB13_SSL_Offload-merged
	bind			MyIpAddress name MyIPAddress   ssl crt-list /var/etc/haproxy/MCSB13_SSL_Offload.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			MCSBS13	var(txn.txnhost) -m sub -i xy.mydomain.com
	acl			Host_Match	src 0.0.0.0
	acl			Host_Match	var(txn.txnhost) -m sub -i xx.mydomain.com
	acl			aclcrt_MCSB12_SSL_Offload	var(txn.txnhost) -m reg -i ^xx\.mydomain\.com(:([0-9]){1,5})?$
	acl			aclcrt_MCSB12_SSL_Offload	var(txn.txnhost) -m reg -i ^www\.xx\.mydomain\.com(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend Backend_MCSBS13_ipvANY  if  MCSBS13 
	use_backend Backend_MCSBSEX_ipvANY  if  !Host_Match 
	use_backend Backend_MCSBS12_ipvANY  if  Host_Match aclcrt_MCSB12_SSL_Offload
	default_backend dummy_ipvANY
	use_backend Backend_MCSBS12_ipvANY  if   aclcrt_MCSB12_SSL_Offload

backend dummy_ipvANY
	mode			http
	id			123
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			dummy 127.0.0.1:8888 id 124 check inter 1000  

backend Backend_MCSBS13_ipvANY
	mode			http
	id			117
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Deny	src 0.0.0.0
	use-server MCSBS13  if  Redirect 
	use-server deny  if  !Deny 
	server			MCSBS13 172.16.2.3:8080 id 118 check inter 1000  
	server			deny 127.0.0.1:64000 id 126 check inter 1000  

backend Backend_MCSBSEX_ipvANY
	mode			http
	id			119
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			Exchange_Server 192.168.111.10:443 id 120 ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5b2ab5730e814.pem 

backend Backend_MCSBS12_ipvANY
	mode			http
	id			121
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address 
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Redirect	src External IP Address
	acl			Deny	src 0.0.0.0
	use-server MCSBS12  if  Redirect 
	use-server deny  if  !Deny 
	server			MCSBS12 172.16.2.2:8080 id 122 check inter 1000  
	server			deny 127.0.0.1:64000 id 125 check inter 1000
          P 2 Replies Last reply Reply Quote 0
          • P
            PiBa @keystroke
            last edited by

            @keystroke
            Why are you using use-server action this way? Wouldnt a 'http-request deny if !Redirect' be easier?

            1 Reply Last reply Reply Quote 1
            • P
              PiBa @keystroke
              last edited by

              @keystroke said in HAproxy backend whitelisting:

              src 0.0.0.0

              That would never match, as the client ip would never be that exact ip of four zero's. Perhaps if you made it a 0.0.0.0/0 ? But then still a 'http-request deny' seems easier.?.

              1 Reply Last reply Reply Quote 1
              • K
                keystroke
                last edited by

                I was trying to use the 'is not' 0.0.0.0 so it would deny everything that was not already defined in the list, but that did not work.

                I will try the 0.0.0.0/0 with the 'http-request deny' and let you know.

                1 Reply Last reply Reply Quote 0
                • K
                  keystroke
                  last edited by

                  The 'http-request deny' action processes before the use server action so it denied everything.

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    PiBa @keystroke
                    last edited by

                    @keystroke
                    Use your Redirect acl instead of trying to trick things you don't want?: "http-request deny if !Redirect"

                    1 Reply Last reply Reply Quote 1
                    • K
                      keystroke
                      last edited by

                      That was it, thank you for your help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.