Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HAProxy restrict single backend by ip range

I have inherited an HAProxy setup with around twenty backend definitions (and little else) in the config file. I have been asked to restrict one of the backends to a specific IP range, but so far my research (and limited HAProxy knowledge) have yielded nothing.

Whilst reading the manual, I have found a network_allowed parameter that would work for a frontend, but I don't seem to have any front end definitions and I don't want to apply this restriction to any of the other proxy routes. Is there anything I can specifically use on a backend to restrict access by IP range?

Thanks, Simon

like image 319
srowland Avatar asked Apr 28 '14 13:04

srowland


1 Answers

To have a functional HAProxy setup you would need either 'frontend' or 'listen' directives. These are the only directives that will respond to incoming requests. The 'backend' directive only provides for a way to route traffic behind the proxy.

That being said, here are the entries you need in a 'frontend' or 'listen' directive to accomplish your goals:

acl white_list src 192.168.1.0/24 192.168.10.0/24
tcp-request content accept if white_list
tcp-request content reject

These directives would allow only traffic coming from the 192.168.1/24 and 192.168.10/24 subnets.

like image 70
Jason Avatar answered Oct 21 '22 11:10

Jason