I am looking for an approach to solve the following requirement. I’m aware that this could be solved with a helper program/service which uses the API or other methods, but I’m curious if there is an elegant way to solve that purely within haproxy.
Basically I want to have a method of applying an IP restriction to a certain backend and I’d like to add an IP address to that map on the fly just by starting a request from that IP address with an additional protection mechanism (e.g. cert based authentication). This should than add the IP address the call is coming from to the list of whitelisted IP addresses.
This entry should ideally expire after a set amount of time.
More concrete example:
Assume to have two backends:
-
whitelistme.domain.tld: behind a frontend that requires client certificate authentication. When called (and passing client certificate validation) this would add the IP address the request came from to a map/map file
-
protected.domain.tld: a normal backend that can use the map/whitelist that is dynamically extended by the first backend
-
The entry in the map/map file should expire (=IP is not whitelisted any more) after a certain amount of time has passed
I assume that the whitelisting part could be solved by using the http-request set-map, but I am not sure whether the expiration could be solved in this way too