Haproxy acl to block ips and host header

aka · October 26, 2019, 1:56am

Hi guys,
I can’t get the following acls to work as intended.

acl src1 src xx.xx.xx.xx/xx
acl src1 src yy.yy.yy.yy/yy
acl admin hdr_beg(host) -i admin
acl adminservice hdr_beg(host) -i adminservice

http-request deny if !src1 !adminservice admin

What I am trying to do is to block access to IPs other than src1 IPs to admin.domainname.com.
But the result I am getting is, I have access to admin.domainname.com after refreshing the page a few times. First it gives a 403 error but if I keep hitting refresh I am able to access the url.

Is the order of the condition in the action wrong? Could you please tell me what will be the result based on the above’s configuration?

Thanks,
aka

jerome · October 28, 2019, 12:28pm

I’d use something like this:

  acl src1 src 1.2.3.4
  acl admin hdr(host) -m beg admin.
  http-request deny unless src1 admin

your problem is that admin will match for both admin.domain and adminservice.domain.
you can also use the dom match, ie:

  acl src1 src 1.2.3.4
  acl admin hdr(host) -m dom admin
  http-request deny unless src1 admin

“dom” : domain match : check that a dot-delimited portion of the contents
exactly match one of the provided string patterns. This may be
used with binary or string samples.
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.1

aka · December 17, 2020, 1:20am

Thank you, that was useful.

Topic		Replies	Views
Haproxy acl on ip range with ip from header instead of src Help!	4	2076	January 6, 2021
Block request if host == IP Help!	3	1415	October 5, 2018
Redirect to backend comparing requests and host in a file Help!	4	1054	May 3, 2022
URL redirect with acl Help!	1	612	July 16, 2021
Restricting URLs to an IP range Help!	2	430	October 25, 2023

Haproxy acl to block ips and host header

Related Topics