Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy: Rules based on url?

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    2
    94
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oguruma
      last edited by oguruma

      I have a CRM/ERP System called ERPNext behind my firewall.

      ERPNext includes a front-end website, as well as the backend for the business-specific applications.

      I'd like to restrict example.com/app/* (the backend for business users) to specific IP addresses (basically my LAN or VPN'd into the LAN), while if the destination is example.com/'anything-but-app'* (the website) can accept connections from any IP address.

      Is this possible with HAProxy?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @oguruma
        last edited by

        @oguruma said in HAProxy: Rules based on url?:

        I'd like to restrict example.com/app/* (the backend for business users) to specific IP addresses (basically my LAN or VPN'd into the LAN), while if the destination is example.com/'anything-but-app'* (the website) can accept connections from any IP address.

        These are two rules in fact. Do you really need both of them?

        Assuming it is sufficient to restrict access to example.com/app/*, you can do it this way:

        In Firewall > Aliases create an alias for the allowed networks, say AllowedNets.

        Then create an ACL, call it "AllowedNets", "Source IP matches IP or Aliases", check "Not" and state AllowedNets as value.

        If you also need to limit the rule to the certain host create an "host matches" ACL and put example.com into the value box. Call it MyHost.

        Add an ACL, say "MyPath", "Path starts with" "/app/".

        Create an action "http-request deny", in the condition ACL box insert "MyHost MyPath AllowedNets" (all the ACL you've created before, separated by spaces).

        1 Reply Last reply Reply Quote 0
        • First post
          Last post