Block Sub URL for all except list of few IPs


#1

I am new to HAProxy. I want to restrict all to access a sub URL but not for access from few IPs. My Implementation of HAProxy is below and it is blocking all for IPs. I want “example.com/abc/qaz” accessible from 1.1.1.1 and 2.2.2.2 only.

# Listen to port 80.  Throw a 301 redirect to port 443
 frontend Listen80
    bind *:80
    redirect scheme https code 301 if !{ ssl_fc }

 # List to port 443.  Redirect to appropriate backend based on URL
 frontend Listen443
   bind *:443 ssl crt /etc/ssl/certs/examplesslpem %>

   acl web_url        path_beg   /abc /xyz
   acl web_url        path_beg   /efg /xy
   acl batch_url      path_beg   /h /ga
   acl network_allowed  src     1.1.1.1 2.2.2. 
   acl resticted_pages  path_beg   /abc/qaz/
   http-request deny if resticted_pages !network_allowed
   use_backend BATCH        if batch_url
   use_backend SVC          if svc_url
   use_backend WEB          if web_url

   # Listen to port 8080.  Pass through to WEB backend
  frontend Listen8080
   bind *:8080
   use_backend WEB

backend WEB
   mode http
   balance roundrobin
   option httpclose
   cookie SERVERIDWEB insert indirect nocache secure
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   reqrep ^([^\ ]*\ /)abc[/]?(.*)     \1\2
   server app-1 example-app1.com:8080 check cookie app1web
   server app-2 example-app2.com:8080 check cookie app2web
   server app-3 example-app3.com:8080 check cookie app3web
   server app-4 example-app4.com:8080 check cookie app4web
   server app-5 example-app5.com:8080 check cookie app5web

#2

The only thing you probably wanna fix is the last octet of the second IP is missing (2.2.2. should be 2.2.2.2), I don’t see anything else wrong in your configuration.


#3

Actually, due to cloudflare the HAProxy server was getting the CloudFlare IP. And it was block to all. I used CF-Connecting-IP and macthed it with the list of alowed IPs.
acl restrict_page path_beg /abc/xyz
acl Whitelist hdr_ip(CF-Connecting-IP) -m ip -f /etc/haproxy/Whitelist.acl
http-request deny if !Whitelist restrict_page