Hi Guys, I’m new to haproxy configurations and this may be a very sophomoric question but am hoping someone can give me some guidance. I have read through the documentation for haproxy 1.5.2 and haven’t seen a lot of info on using whitelist text files to allow traffic from specific originating CIDR subnets.
I have a whitelist of subnets in a text file and want to redirect all traffic to a maintenance page other than the CIDR subnets in the whitelist.lst file. My whitelist.lst file is as follows… #Allowed Internal Subnets 10.0.0.0/22 172.31.0.0/16 10.1.4.1/22 10.24.8.0/24 10.24.32.0/23 10.24.48.0/24 10.24.56.0/24 172.20.208.0/24 172.24.132.0/22 172.24.152.0/22 172.24.160.0/22 172.24.248.0/24 172.24.64.0/22 172.27.128.0/24 192.168.169.0/24 I am using the following http-request statement http-request redirect location http://www.foo.com/maintenence unless { src -f /etc/haproxy/whitelist.lst } With this statement all traffic is being redirected whether the client IP is in the whitelisted text file of subnets or not. Is my format for the whitelist.lst file correct? Is there any special formatting I need for haproxy to read it? Is my http-request statement correct? Any thoughts on how I can get this to work the way I intend. From: JDzialo John [mailto:jdzi...@edrnet.com] Sent: Thursday, July 17, 2014 1:38 PM To: Jonathan Matthews; haproxy Subject: RE: Using a Whitlist to Redirect Users not on the Whitelist It was a method I found online without really understanding what X-Forwarded-For header does. Traffic does not pass through a reverse proxy before hitting HAProxy. It should be a direct hit from the client. Is there a header I can compare to our whitelist to reliably get all incoming traffic’s originating IP? REMOTE_ADDR, CLIENT_IP, etc? Thanks From: jonat...@jpluscplusm.com<mailto:jonat...@jpluscplusm.com> [mailto:jonat...@jpluscplusm.com] On Behalf Of Jonathan Matthews Sent: Thursday, July 17, 2014 1:29 PM To: haproxy Subject: Re: Using a Whitlist to Redirect Users not on the Whitelist On 17 Jul 2014 18:15, "JDzialo John" <jdzi...@edrnet.com<mailto:jdzi...@edrnet.com>> wrote: > I am creating a whitelist of subnets allowed to access HAPROXY during > maintenance. Basically I want to redirect everyone to our maintenance page > other than users in the whitelisted file. > > This is not working and is forwarding everyone to the maintenance page > despite being a member of a whitelisted subnet. > (10.0.0.0/8<http://10.0.0.0/8>) > > Is using the hdr_ip(X-Forwarded-For) in the acl the way to go Unless your traffic is passing through another reverse proxy which inserts this header before it hits HAProxy, no. Why are you choosing to use that header?
