On Thu, 22 May 2025 00:33:28 -0700, Willy Tarreau wrote:
> If you don't have too many IP addresses per host, maybe you can enumerate
> them all and have everything in a single list, in which you would look up
> a concatenation of the host and the IP address. If you have many addresses
> with various prefixes, then we'd need first to turn the addresses to binary
> before performing a longest match lookup of the concatenation of host and
> IP. This would be fast since it's one in a tree. However we don't have such
> an operator right now, but that wouldn't be too hard to implement. Maybe
> that's something we could add to the short-term todo list.
That sounds like a great idea! As we will mostly have prefixes we can probably
use a prefix match to avoid having to enumerate every IP. An example map could
look like this:
# 10.0.1.0/24
example.com|000010100000000000000001 1
# 0.0.0.0/0
allow-any.com| 1
where 1 means a request should be allowed. Then the client IP 10.0.1.10 for a
request to example.com would be converted to:
example.com|00001010000000000000000100001010
which is looked up using map_beg_int. So the entire thing would look something
like this (assuming the converter is called ip_bin):
http-request set-var(req.ip_bin) src,ip_bin
http-request set-var-fmt(req.acl_key) %[hdr(host)]|%[var(req.ip_bin)]
http-request deny if {
var(req.acl_key),map_beg_int(/etc/haproxy/allow-list,0) eq 0 }
The converter would accept ip as input type and output type would be str.
Does this make sense?
I would be interested to take a stab at implementing the converter, though I'm
a bit of a newbie when it comes to C programming.
--
Max
