The Goal
Im trying to filter access to certain services to my internal IPs only. I use an acl to determine if traffic is coming from an authorized subnet:
frontend front
mode http
acl is_intern src [my IP subnets]
use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_intern.map)] if is_intern
use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_extern.map)]
default_backend default
- If traffic is from an internal IP the
hosts_intern.mapis used. - If traffic is from an external IP the
hosts_extern.mapis used.
The problem:
Traffic for a service in hosts_extern.map coming from an internal IP will go straight to the default_backend.
I could also make entries for those services in hosts_intern.map but I’d like to rather not have redundant entries between both files.
Is there a method for telling HAProxy to look in a second map file if the first one returns no match?
I found this article which under “Map Converters” explains you can pass a second argument to the converter with the backend to use when there is no match in the map. (use_backend %[req.hdr(host),lower,map(/etc/hapee-1.8/maps/hosts.map,be_static)], be_static being the backend in their example).
I tried to substitute that with the hosts_extern.map:
use_backend %[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_intern.map,%[req.hdr(host),lower,map(/etc/haproxy/maps/hosts_extern.map)])] if is_intern
Unfortunately, all it did was break the line entirely.
The default_backend is needed as a catch all, therefore I can not use it for the hosts_extern.map.