Growing IP ACL file

We have been using HAProxy to block unwanted IP addresses for the past few months. I’m concerned that if this file keeps on growing, it might impact the overall performance of HAProxy not to mention that it needs to be synchronized across several instances. Right now, it’s nearing the 2,000 line mark.

• What are the current strategies in managing a growing IP ACL file?
• What is the maximum number of lines an ACL can have?
• What’s an alternative approach for blocking malicious IPs other than on HAProxy?

I’m thinking of this approach to automate this process:

1. Use a DB backend to store the list of malicious IPs
2. Create a script that will pull the list from the DB and generate an ACL file and run via cron job
3. Reload HAProxy on file change or on a regular schedule

Thank you in advance!

Updating a file and reloading, like you suggest, or:
Updating a file (so that future reload/restarts have uptodate data), but instead of reloading haproxy you can add or remove entries via the admin socket:

https://cbonte.github.io/haproxy-dconv/2.2/management.html#9.3-add%20acl

When you run out of RAM.

Blocking them in iptables (with ipsets) or the equivalent in nftables is probably even more efficient.

Thanks! So in addition to updating the “main” ACL file, the script would insert the new IPs via the admin socket? This is brilliant!

Yes.

Do note that deleting ACL entries is quite expensive in haproxy < 2.4 (unreleased):

But we are talking about 10M entries here. If you only a few thousand, this should be fine. And adding ACL entries is never expensive.