Hi Guys,
I’m new to haproxy configurations and this may be a very sophomoric question
but am hoping someone can give me some guidance. I have read through the
documentation for haproxy 1.5.2 and haven’t seen a lot of info on using
whitelist text files to allow traffic from specific originating CIDR subnets.
I have a whitelist of subnets in a text file and want to redirect all traffic
to a maintenance page other than the CIDR subnets in the whitelist.lst file.
My whitelist.lst file is as follows…
#Allowed Internal Subnets
10.0.0.0/22
172.31.0.0/16
10.1.4.1/22
10.24.8.0/24
10.24.32.0/23
10.24.48.0/24
10.24.56.0/24
172.20.208.0/24
172.24.132.0/22
172.24.152.0/22
172.24.160.0/22
172.24.248.0/24
172.24.64.0/22
172.27.128.0/24
192.168.169.0/24
I am using the following http-request statement
http-request redirect location http://www.foo.com/maintenence unless { src -f
/etc/haproxy/whitelist.lst }
With this statement all traffic is being redirected whether the client IP is in
the whitelisted text file of subnets or not.
Is my format for the whitelist.lst file correct? Is there any special
formatting I need for haproxy to read it?
Is my http-request statement correct? Any thoughts on how I can get this to
work the way I intend.
From: JDzialo John [mailto:jdzi...@edrnet.com]
Sent: Thursday, July 17, 2014 1:38 PM
To: Jonathan Matthews; haproxy
Subject: RE: Using a Whitlist to Redirect Users not on the Whitelist
It was a method I found online without really understanding what
X-Forwarded-For header does.
Traffic does not pass through a reverse proxy before hitting HAProxy. It
should be a direct hit from the client. Is there a header I can compare to our
whitelist to reliably get all incoming traffic’s originating IP?
REMOTE_ADDR, CLIENT_IP, etc?
Thanks
From: jonat...@jpluscplusm.commailto:jonat...@jpluscplusm.com
[mailto:jonat...@jpluscplusm.com] On Behalf Of Jonathan Matthews
Sent: Thursday, July 17, 2014 1:29 PM
To: haproxy
Subject: Re: Using a Whitlist to Redirect Users not on the Whitelist
On 17 Jul 2014 18:15, JDzialo John
jdzi...@edrnet.commailto:jdzi...@edrnet.com wrote:
I am creating a whitelist of subnets allowed to access HAPROXY during
maintenance. Basically I want to redirect everyone to our maintenance page
other than users in the whitelisted file.
This is not working and is forwarding everyone to the maintenance page
despite being a member of a whitelisted subnet.
(10.0.0.0/8http://10.0.0.0/8)
Is using the hdr_ip(X-Forwarded-For) in the acl the way to go
Unless your traffic is passing through another reverse proxy which inserts this
header before it hits HAProxy, no. Why are you choosing to use that header?