Haproxy acl on ip range with ip from header instead of src

Howdy Folks,

I understand that it is possible to create an acl for IP ranges based on src like:
acl white_list src 192.168.1.0/24 192.168.10.0/24
But is it possible to do the same if the IP is based on an http header? I tried something like:
acl white_list req.hdr(X-Actual-IP) 192.168.1.0/24 192.168.10.0/24
and it doesn’t work, I’m assuming it’s doing a string match which isn’t what I want. Is there a way to treat the value of a request header as an IP in an acl?

Cheers,
Kelvin

You probably want to use set-src here, then your src directive in your ACL will work.

Hmm, ya thanks! That’s one way of doing it but this may interfere with other ACLs that already leverages the existing src. I can work around it but if there’s no other solution, I’ll go with this approach.

You need -m ip as per ACL basics :

acl white_list req.hdr(X-Actual-IP) -m ip 192.168.1.0/24 192.168.10.0/24

Thanks @lukastribus! That works. Funny because I tried the solution from @supermathie and couldn’t get it to really work because of a bug that y’all both worked on: "http-request set-src" affects connection, not transaction or request · Issue #90 · haproxy/haproxy · GitHub

1 Like