HAproxy backend whitelisting
-
I have all of the source IP addresses listed in the ACL list for that specific backend, but a source IP address not on the list is still able to access that backend. I created one ACL entry that was 'is not 0.0.0.0' and an action that directed it to a dummy server, but that is not working.
Any help would be greatly appreciated.
-
@keystroke
What does your haproxy.cfg look like ? -
# Automaticaly generated, dont edit manually. # Generated on: 2018-11-01 10:12 global maxconn 500 log /var/run/log local0 debug stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 4096 log-send-hostname HaproxyMasterNode server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:444 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend HTTP_Redirect_MCSBSEX-merged bind MyIPAddress name MyIPAddress mode http log global option http-keep-alive timeout client 30000 acl Redirect var(txn.txnhost) -m str -i exchange.mydomain.com acl Redirect var(txn.txnhost) -m str -i xx.mydomain.com acl Redirect var(txn.txnhost) -m str -i xy.mydomain.com http-request set-var(txn.txnhost) hdr(host) http-request redirect scheme https code 301 if Redirect default_backend dummy_ipvANY default_backend dummy_ipvANY default_backend dummy_ipvANY frontend MCSB13_SSL_Offload-merged bind MyIpAddress name MyIPAddress ssl crt-list /var/etc/haproxy/MCSB13_SSL_Offload.crt_list mode http log global option http-keep-alive timeout client 30000 acl MCSBS13 var(txn.txnhost) -m sub -i xy.mydomain.com acl Host_Match src 0.0.0.0 acl Host_Match var(txn.txnhost) -m sub -i xx.mydomain.com acl aclcrt_MCSB12_SSL_Offload var(txn.txnhost) -m reg -i ^xx\.mydomain\.com(:([0-9]){1,5})?$ acl aclcrt_MCSB12_SSL_Offload var(txn.txnhost) -m reg -i ^www\.xx\.mydomain\.com(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend Backend_MCSBS13_ipvANY if MCSBS13 use_backend Backend_MCSBSEX_ipvANY if !Host_Match use_backend Backend_MCSBS12_ipvANY if Host_Match aclcrt_MCSB12_SSL_Offload default_backend dummy_ipvANY use_backend Backend_MCSBS12_ipvANY if aclcrt_MCSB12_SSL_Offload backend dummy_ipvANY mode http id 123 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server dummy 127.0.0.1:8888 id 124 check inter 1000 backend Backend_MCSBS13_ipvANY mode http id 117 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Deny src 0.0.0.0 use-server MCSBS13 if Redirect use-server deny if !Deny server MCSBS13 172.16.2.3:8080 id 118 check inter 1000 server deny 127.0.0.1:64000 id 126 check inter 1000 backend Backend_MCSBSEX_ipvANY mode http id 119 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server Exchange_Server 192.168.111.10:443 id 120 ssl check inter 1000 verify none crt /var/etc/haproxy/server_clientcert_5b2ab5730e814.pem backend Backend_MCSBS12_ipvANY mode http id 121 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Redirect src External IP Address acl Deny src 0.0.0.0 use-server MCSBS12 if Redirect use-server deny if !Deny server MCSBS12 172.16.2.2:8080 id 122 check inter 1000 server deny 127.0.0.1:64000 id 125 check inter 1000 -
@keystroke
Why are you using use-server action this way? Wouldnt a 'http-request deny if !Redirect' be easier? -
@keystroke said in HAproxy backend whitelisting:
src 0.0.0.0
That would never match, as the client ip would never be that exact ip of four zero's. Perhaps if you made it a 0.0.0.0/0 ? But then still a 'http-request deny' seems easier.?.
-
I was trying to use the 'is not' 0.0.0.0 so it would deny everything that was not already defined in the list, but that did not work.
I will try the 0.0.0.0/0 with the 'http-request deny' and let you know.
-
The 'http-request deny' action processes before the use server action so it denied everything.
-
@keystroke
Use your Redirect acl instead of trying to trick things you don't want?: "http-request deny if !Redirect" -
That was it, thank you for your help!