HAProxy GeoIP
-
I'm trying to configure GeoIP in HAProxy. First I created a URL alias. Then I added the ACL and action to the backend. When checking from a mobile phone not from my home network, I get a 403 error. However, my friends are doing fine when checking. What am I doing wrong? Or is it better to use pfBlockerNG?
-
@aes4096 I use pfblocker for this sort of thing. I create alias with the geoips I want them and then just use those aliases in my firewall rule and or port forwarding rules.
For example - I limit access to my services exposed, vpn, plex coule of websits that are behind haproxy only to US based IPs, and some other specific IPs that are in the pfblocker alias.
Are you trying to block or allow Russia? Its much easier to just allow what you want vs trying to block the planet. if your goal is to just block Russia ok.
You could create a alias that has the russia IPs in it, then in your firewall rules put in a rule that blocks that alias before your rule that allow traffic to your haproxy port your listening on.
-
@johnpoz I need access to published sites via HAproxy to be available only from Russia. For example, I have deployed the Synology Drive service (analogous to Nextcloud) and I do not want it to be accessible from other countries where I do not live. I took the list of subnets from the IPDeny website, and in the backend I set “Not Russia” and the action http-request deny Russia. In theory, this should block requests not from Russia. Or am I wrong?
Update:
I tried to add it to the firewall, but it won’t let me in either. I assume that the subnet of my mobile operator is not included in the IPDeny list.
-
@aes4096 I have never even thought of doing that sort of blocking in haproxy itself. f you want only russia ips to talk to whatever your serving up in haproxy. Just create that in your frewall rule that allows access to your haproxy port your listening on.
the only time I would think you would want/need to do the limitation in haproxy.. If say you were doing host header type access on the same port.. Lets say 443.. And you want only russia IPs to talk to www.russiaonly.com fqdn, and then had another fqdn like www.everyone.com that you wanted the whole planet to get to.
Personally I wouldn't use "this frewall" in the allow rule for russia IPs - i would use the actual interface addess, most like WAN address.
Possible problem you could be running into - is do you have the pfsense web gui listening on 443.. If you want to use that for say haproxy or a port fortward, you should change pfsense webgui not to use 443, for example my webgui uses 8443
-
@johnpoz I changed the pfsense web interface port to 10443. Without filtering by country, the web application opens correctly not from the home network
-
@aes4096 well yeah why wouldn't it - your lan rules allow any any most likely.
Don't do any filtering in haproxy by IP.. Just create your firewall rule that allows source of russia IPs like you have.. I can then try to open it if you pm the fqdn.. I can tell you if I can get there ;) I am for sure not coming from a russia IP ;)
Keep in mind there is no geoip list out there that is 100% accurate.. They might include IPs that are not in the actual country, or they might be missing some IPs that are.. Geoip lists are never going to be 100% accurate..
Keep in mind your rule is an allow, so under that needs to be a block.. Not sure what your other rules are allowing, they might allow the other IPs.
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
-
@johnpoz I think I did it using pfBlockerNG. Sent the link in private messages. Check availability please
-
@aes4096 just did I can't get to that site. just times out
I sent you my IP you should see in the logs
And I the IP I resolved it to - to validate I was resolving the url you sent me tot he correct IP.. Your ttl is pretty long if that is a dynamic IP.
-
@johnpoz yes, blocking is successful. From mobile operators from Russia it opens correctly as intended. It also opened for me not from the local network. Looks like the problem is now resolved. My IP is static. I don't know why the TTL is so long. Probably due to the long distance. Perhaps there are blockages and restrictions somewhere on the part of backbone providers on the way to Russia.
Just out of curiosity, I'll check this list again. But pfBlockerNG must update itself, unlike other lists. I had to ask a friend from Kazakhstan to create a Maxmind account, because in Russia I could not create one even through a VPN
-
@aes4096 no the TTL of the dns record.. 86400 seconds is 24 hours.. But if your static then not a problem and longer ttl is better..
As to creating a maxmind account to be able to pull the geoip lists from them - I am not aware of any restrictions they would have for creating an account? But guess that is possible?
But if you could not create one coming from a vpn IP, that would seem not like a restriction based on location, but maybe email address? Or guess they could block vpn IPs as well?
I would suggest contacting their support.
We do have a few users here from russia - might want to post in the lang section if anyone has had issues creating maxmind account.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@johnpoz I tried to create an account six months ago on a Russian mail domain, but it didn’t work. I had to ask a person from another country to help. As a result, I created an account on Google mail. I'll try again in my spare time. Perhaps I was doing something wrong.
But the GeoIP lists downloaded without problems. Then it’s a strange coincidence that the account is not created, but the lists are downloaded.
-
@aes4096 I am not 100% on the details of what exactly can and can not be accessed from maxmind without an account.. Notice you can disable the csv downloads, but there is a blurb about that doesn't effect the binary downloads?
Looking at my maxmind account - I can see the download history, and the api key used to download, etc.
Its quite possible some geoip stuff is available, maybe its just not updated as often? I haven't really had to dig into the details because just never had a need too. Mine has always worked, but as you can see from the date when I created that api is was many years ago.
Notice in the blurb where you put in your maxmind details about specific version to register for, etc. 3.1.1 or something or newer.
-
-
@johnpoz In the screenshot below, access is denied when updating. Or is it like this for everyone?
