Hi Guys,

I’m new to haproxy configurations and this may be a very sophomoric question 
but am hoping someone can give me some guidance.  I have read through the 
documentation for haproxy 1.5.2 and haven’t seen a lot of info on using 
whitelist text files to allow traffic from specific originating CIDR subnets.

I have a whitelist of subnets in a text file and want to redirect all traffic 
to a maintenance page other than the CIDR subnets in the whitelist.lst file.

My whitelist.lst file is as follows…

#Allowed Internal Subnets
10.0.0.0/22
172.31.0.0/16
10.1.4.1/22
10.24.8.0/24
10.24.32.0/23
10.24.48.0/24
10.24.56.0/24
172.20.208.0/24
172.24.132.0/22
172.24.152.0/22
172.24.160.0/22
172.24.248.0/24
172.24.64.0/22
172.27.128.0/24
192.168.169.0/24

I am using the following http-request statement

http-request redirect location http://www.foo.com/maintenence unless { src -f 
/etc/haproxy/whitelist.lst }

With this statement all traffic is being redirected whether the client IP is in 
the whitelisted text file of subnets or not.

Is my format for the whitelist.lst file correct?  Is there any special 
formatting I need for haproxy to read it?

Is my http-request statement correct?  Any thoughts on how I can get this to 
work the way I intend.





From: JDzialo John [mailto:jdzi...@edrnet.com]
Sent: Thursday, July 17, 2014 1:38 PM
To: Jonathan Matthews; haproxy
Subject: RE: Using a Whitlist to Redirect Users not on the Whitelist

It was a method I found online without really understanding what 
X-Forwarded-For header does.

Traffic does not pass through a reverse proxy before hitting HAProxy.  It 
should be a direct hit from the client.  Is there a header I can compare to our 
whitelist to reliably get all incoming traffic’s originating IP?

REMOTE_ADDR, CLIENT_IP, etc?

Thanks

From: jonat...@jpluscplusm.com<mailto:jonat...@jpluscplusm.com> 
[mailto:jonat...@jpluscplusm.com] On Behalf Of Jonathan Matthews
Sent: Thursday, July 17, 2014 1:29 PM
To: haproxy
Subject: Re: Using a Whitlist to Redirect Users not on the Whitelist


On 17 Jul 2014 18:15, "JDzialo John" 
<jdzi...@edrnet.com<mailto:jdzi...@edrnet.com>> wrote:
> I am creating a whitelist of subnets allowed to access HAPROXY during 
> maintenance.  Basically I want to redirect everyone to our maintenance page 
> other than users in the whitelisted file.
>
> This is not working and is forwarding everyone to the maintenance page 
> despite being a member of a whitelisted subnet. 
> (10.0.0.0/8<http://10.0.0.0/8>)
>
> Is using the hdr_ip(X-Forwarded-For) in the acl the way to go

Unless your traffic is passing through another reverse proxy which inserts this 
header before it hits HAProxy, no. Why are you choosing to use that header?

Reply via email to