HAproxy backend whitelisting



  • I have all of the source IP addresses listed in the ACL list for that specific backend, but a source IP address not on the list is still able to access that backend. I created one ACL entry that was 'is not 0.0.0.0' and an action that directed it to a dummy server, but that is not working.

    Any help would be greatly appreciated.



  • @keystroke
    What does your haproxy.cfg look like ?



  • # Automaticaly generated, dont edit manually.
    # Generated on: 2018-11-01 10:12
    global
    	maxconn			500
    	log			/var/run/log	local0	debug
    	stats socket /tmp/haproxy.socket level admin 
    	uid			80
    	gid			80
    	nbproc			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	4096
    	log-send-hostname		HaproxyMasterNode 
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend HTTP_Redirect_MCSBSEX-merged
    	bind			MyIPAddress name MyIPAddress   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			Redirect	var(txn.txnhost) -m str -i exchange.mydomain.com
    	acl			Redirect	var(txn.txnhost) -m str -i xx.mydomain.com
    	acl			Redirect	var(txn.txnhost) -m str -i xy.mydomain.com
    	http-request set-var(txn.txnhost) hdr(host)
    	http-request redirect scheme https code 301  if  Redirect 
    	default_backend dummy_ipvANY
    	default_backend dummy_ipvANY
    	default_backend dummy_ipvANY
    
    frontend MCSB13_SSL_Offload-merged
    	bind			MyIpAddress name MyIPAddress   ssl crt-list /var/etc/haproxy/MCSB13_SSL_Offload.crt_list  
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			MCSBS13	var(txn.txnhost) -m sub -i xy.mydomain.com
    	acl			Host_Match	src 0.0.0.0
    	acl			Host_Match	var(txn.txnhost) -m sub -i xx.mydomain.com
    	acl			aclcrt_MCSB12_SSL_Offload	var(txn.txnhost) -m reg -i ^xx\.mydomain\.com(:([0-9]){1,5})?$
    	acl			aclcrt_MCSB12_SSL_Offload	var(txn.txnhost) -m reg -i ^www\.xx\.mydomain\.com(:([0-9]){1,5})?$
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend Backend_MCSBS13_ipvANY  if  MCSBS13 
    	use_backend Backend_MCSBSEX_ipvANY  if  !Host_Match 
    	use_backend Backend_MCSBS12_ipvANY  if  Host_Match aclcrt_MCSB12_SSL_Offload
    	default_backend dummy_ipvANY
    	use_backend Backend_MCSBS12_ipvANY  if   aclcrt_MCSB12_SSL_Offload
    
    backend dummy_ipvANY
    	mode			http
    	id			123
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			dummy 127.0.0.1:8888 id 124 check inter 1000  
    
    backend Backend_MCSBS13_ipvANY
    	mode			http
    	id			117
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Deny	src 0.0.0.0
    	use-server MCSBS13  if  Redirect 
    	use-server deny  if  !Deny 
    	server			MCSBS13 172.16.2.3:8080 id 118 check inter 1000  
    	server			deny 127.0.0.1:64000 id 126 check inter 1000  
    
    backend Backend_MCSBSEX_ipvANY
    	mode			http
    	id			119
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			Exchange_Server 192.168.111.10:443 id 120 ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_5b2ab5730e814.pem 
    
    backend Backend_MCSBS12_ipvANY
    	mode			http
    	id			121
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address 
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Redirect	src External IP Address
    	acl			Deny	src 0.0.0.0
    	use-server MCSBS12  if  Redirect 
    	use-server deny  if  !Deny 
    	server			MCSBS12 172.16.2.2:8080 id 122 check inter 1000  
    	server			deny 127.0.0.1:64000 id 125 check inter 1000  
    
    
    
    


  • @keystroke
    Why are you using use-server action this way? Wouldnt a 'http-request deny if !Redirect' be easier?



  • @keystroke said in HAproxy backend whitelisting:

    src 0.0.0.0

    That would never match, as the client ip would never be that exact ip of four zero's. Perhaps if you made it a 0.0.0.0/0 ? But then still a 'http-request deny' seems easier.?.



  • I was trying to use the 'is not' 0.0.0.0 so it would deny everything that was not already defined in the list, but that did not work.

    I will try the 0.0.0.0/0 with the 'http-request deny' and let you know.



  • The 'http-request deny' action processes before the use server action so it denied everything.



  • @keystroke
    Use your Redirect acl instead of trying to trick things you don't want?: "http-request deny if !Redirect"



  • That was it, thank you for your help!