Hello. Tell me how to use the acl to reject client connections by hostname. I was able to block by IP
acl blocked_host src 172.20.40.25
TCP request reject connection if blocked_host
But I don’t understand how to do it by hostname.
hdr(Host) contains the destination host name.
I found resolvers in the documentation, but I can’t figure out how to use them in acl.
What about:
acl blocked_host hdr(Host) -m str "badhostname" # match hdr(Host) using string method
tcp-request reject connection if blocked_host
?
Relevant config section is: https://docs.haproxy.org/dev/configuration.html#7.1
Append ‘www.’ prefix in front of all hosts not having it
http-request redirect code 301 location \
http://www.%[hdr(host)]%[capture.req.uri] \
unless { hdr_beg(host) -i www }
This example proofs that hdr(Host) contains the destination host name not the source. I don’t whant that host A connect to host B, but hdr(host) contains B.
Ok, got it this time (sorry for my previous post)
Unless the client already provides its hostname by setting an optional header in the request, there is no such “source” hostname in an HTTP transaction.
If I understand correctly what you’re looking for is a reverse DNS lookup operation right? (get the domain name from the client’s IP)
HAProxy doesn’t provide a native way to do that, maybe you could extend HAProxy using Lua to achieve that.
But I’m wondering why you would need to block some clients based on name and not IP? It could be interesting to know more about your use case there.
acl blocked_host src host1.example.org
tcp request reject connection if blocked_host
Do note that this is resolved only at startup. Read more about this in 7.1.6. Matching IPv4 and IPv6 addresses