Disable connection from specific host by hostname

Hello. Tell me how to use the acl to reject client connections by hostname. I was able to block by IP

acl blocked_host src
TCP request reject connection if blocked_host

But I don’t understand how to do it by hostname.
hdr(Host) contains the destination host name.
I found resolvers in the documentation, but I can’t figure out how to use them in acl.

What about:

acl blocked_host hdr(Host) -m str "badhostname" # match hdr(Host) using string method
tcp-request reject connection if blocked_host


Relevant config section is: https://docs.haproxy.org/dev/configuration.html#7.1

Append ‘www.’ prefix in front of all hosts not having it

http-request redirect code 301 location      \
  http://www.%[hdr(host)]%[capture.req.uri]  \
  unless { hdr_beg(host) -i www }

This example proofs that hdr(Host) contains the destination host name not the source. I don’t whant that host A connect to host B, but hdr(host) contains B.

Ok, got it this time (sorry for my previous post)

Unless the client already provides its hostname by setting an optional header in the request, there is no such “source” hostname in an HTTP transaction.

If I understand correctly what you’re looking for is a reverse DNS lookup operation right? (get the domain name from the client’s IP)

HAProxy doesn’t provide a native way to do that, maybe you could extend HAProxy using Lua to achieve that.

But I’m wondering why you would need to block some clients based on name and not IP? It could be interesting to know more about your use case there.

acl blocked_host src host1.example.org
tcp request reject connection if blocked_host

Do note that this is resolved only at startup. Read more about this in 7.1.6. Matching IPv4 and IPv6 addresses