Im trying to filter access to certain services to my internal IPs only. I use an acl to determine if traffic is coming from an authorized subnet:
frontend front mode http acl is_intern src [my IP subnets] use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_intern.map)] if is_intern use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_extern.map)] default_backend default
- If traffic is from an internal IP the
- If traffic is from an external IP the
Traffic for a service in
hosts_extern.map coming from an internal IP will go straight to the
I could also make entries for those services in
hosts_intern.map but I’d like to rather not have redundant entries between both files.
Is there a method for telling HAProxy to look in a second map file if the first one returns no match?
I found this article which under “Map Converters” explains you can pass a second argument to the converter with the backend to use when there is no match in the map. (
be_static being the backend in their example).
I tried to substitute that with the
use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_intern.map,%[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_extern.map)])] if is_intern
Unfortunately, all it did was break the line entirely.
default_backend is needed as a catch all, therefore I can not use it for the