• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Haproxy custom acl whitelist IP restrict alias backend specific block reject others

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 2 Posters 6.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • X
    xanaro
    last edited by xanaro Nov 19, 2020, 11:47 AM Nov 19, 2020, 11:43 AM

    I am looking for a way to allow access to certain backends only to certain IP addresses or networks, I am trying to find information that shows/tells how to do this.

    more info:
    I have 10+ backends configured, I have a shared https front end with SSL offloading. I have all the additional certificates added and the Add ACL for certificate subject alternative names checked.

    Websites Front end uses the shared https front end has a very simple Access Control List.

    name: mysite.com expression:Host Matches value: mysite.com

    then bellow in actions:

    Action: Use Backend ACL: mysite.com backend: mysite.com

    This setup has been great because it ties in nicely with pfsense ACME certificates, previously I did all of this on an nginx reverse proxy, this is much simpler.

    On the frontend access control list I am using "Host Matches" but I can see that I could change that to "Source IP matches IP or Alias"

    Unfortunately I am not sure how to combine the two.("Host Matches" AND "Source IP matches IP or Alias") I have searched google, reddit, and this forum. and there has not been any clear cut examples of how to accomplish this.

    My understanding so far is that I would goto the HAProxy main "Settings" tab, scroll to the bottom and add some custom code to the Global Advanced pass thru.

    The other problem I am faced with is that most of the IP filtering I have seen appears to use mode: TCP but my front end is using mode: HTTP, so it may not be compatible code....

    I REALLY REALLY appreciate any help if anyone can give some pointers, examples, or snippets.

    1 Reply Last reply Reply Quote 0
    • X
      xanaro
      last edited by Nov 27, 2020, 4:20 AM

      UPDATE: figured this out thanks to the HAProxy forum.

      On your frontends define more than one ACL such as:

      host1          host matches:                      host1.example.com
      adminIPs       Source IP matches Ip or Alias:     111.222.333.444
      

      In the above we have two ACLs: host1 and adminIPs, for the adminIPs you can reference a pfsense alias instead of hard coding an IP if you need it to apply to more than one IP.

      now below for the Action:

      action: Use Backend
      acl names: adminIPs host1
      backend: host1.example.com

      by defining both ACLs it should only forward to the backend if both acls are true.

      T 1 Reply Last reply Dec 18, 2020, 6:33 AM Reply Quote 5
      • T
        tomschlick @xanaro
        last edited by Dec 18, 2020, 6:33 AM

        @xanaro I created an account just to thank you for this. This saved me a ton of time!

        X 1 Reply Last reply Dec 18, 2020, 6:49 AM Reply Quote 1
        • X
          xanaro @tomschlick
          last edited by Dec 18, 2020, 6:49 AM

          @tomschlick No problem! I was having trouble finding examples of this in any of the documentation myself, its not entirely obvious that you can simply specify more than one ACL in the Haproxy action table. So I myself was trying to figure this out and luckily somebody answered my question on HAProxy forums.

          I will add to this that if you reference a pfsense alias that you have to restart the haproxy service if you add any additional entries to the alias, at least this seems to be the behavior I was noticing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            [[user:consent.lead]]
            [[user:consent.not_received]]