Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Haproxy custom acl whitelist IP restrict alias backend specific block reject others

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 2 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • xanaroX
      xanaro
      last edited by xanaro

      I am looking for a way to allow access to certain backends only to certain IP addresses or networks, I am trying to find information that shows/tells how to do this.

      more info:
      I have 10+ backends configured, I have a shared https front end with SSL offloading. I have all the additional certificates added and the Add ACL for certificate subject alternative names checked.

      Websites Front end uses the shared https front end has a very simple Access Control List.

      name: mysite.com expression:Host Matches value: mysite.com

      then bellow in actions:

      Action: Use Backend ACL: mysite.com backend: mysite.com

      This setup has been great because it ties in nicely with pfsense ACME certificates, previously I did all of this on an nginx reverse proxy, this is much simpler.

      On the frontend access control list I am using "Host Matches" but I can see that I could change that to "Source IP matches IP or Alias"

      Unfortunately I am not sure how to combine the two.("Host Matches" AND "Source IP matches IP or Alias") I have searched google, reddit, and this forum. and there has not been any clear cut examples of how to accomplish this.

      My understanding so far is that I would goto the HAProxy main "Settings" tab, scroll to the bottom and add some custom code to the Global Advanced pass thru.

      The other problem I am faced with is that most of the IP filtering I have seen appears to use mode: TCP but my front end is using mode: HTTP, so it may not be compatible code....

      I REALLY REALLY appreciate any help if anyone can give some pointers, examples, or snippets.

      1 Reply Last reply Reply Quote 0
      • xanaroX
        xanaro
        last edited by

        UPDATE: figured this out thanks to the HAProxy forum.

        On your frontends define more than one ACL such as:

        host1          host matches:                      host1.example.com
adminIPs       Source IP matches Ip or Alias:     111.222.333.444

        In the above we have two ACLs: host1 and adminIPs, for the adminIPs you can reference a pfsense alias instead of hard coding an IP if you need it to apply to more than one IP.

        now below for the Action:

        action: Use Backend
        acl names: adminIPs host1
        backend: host1.example.com

        by defining both ACLs it should only forward to the backend if both acls are true.

        T 1 Reply Last reply Reply Quote 5
        • T
          tomschlick @xanaro
          last edited by

          @xanaro I created an account just to thank you for this. This saved me a ton of time!

          xanaroX 1 Reply Last reply Reply Quote 1
          • xanaroX
            xanaro @tomschlick
            last edited by

            @tomschlick No problem! I was having trouble finding examples of this in any of the documentation myself, its not entirely obvious that you can simply specify more than one ACL in the Haproxy action table. So I myself was trying to figure this out and luckily somebody answered my question on HAProxy forums.

            I will add to this that if you reference a pfsense alias that you have to restart the haproxy service if you add any additional entries to the alias, at least this seems to be the behavior I was noticing.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.