Haproxy acl to block ips and host header

aka · October 26, 2019, 1:56am

Hi guys,
I can’t get the following acls to work as intended.

acl src1 src xx.xx.xx.xx/xx
acl src1 src yy.yy.yy.yy/yy
acl admin hdr_beg(host) -i admin
acl adminservice hdr_beg(host) -i adminservice

http-request deny if !src1 !adminservice admin

What I am trying to do is to block access to IPs other than src1 IPs to admin.domainname.com.
But the result I am getting is, I have access to admin.domainname.com after refreshing the page a few times. First it gives a 403 error but if I keep hitting refresh I am able to access the url.

Is the order of the condition in the action wrong? Could you please tell me what will be the result based on the above’s configuration?

Thanks,
aka

jerome · October 28, 2019, 12:28pm

I’d use something like this:

  acl src1 src 1.2.3.4
  acl admin hdr(host) -m beg admin.
  http-request deny unless src1 admin

your problem is that admin will match for both admin.domain and adminservice.domain.
you can also use the dom match, ie:

  acl src1 src 1.2.3.4
  acl admin hdr(host) -m dom admin
  http-request deny unless src1 admin

“dom” : domain match : check that a dot-delimited portion of the contents
exactly match one of the provided string patterns. This may be
used with binary or string samples.
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#7.1

aka · December 17, 2020, 1:20am

Thank you, that was useful.

Topic		Replies	Views
Haproxy acl on ip range with ip from header instead of src Help!	4	2977	January 6, 2021
Disable connection from specific host by hostname Help!	4	222	June 13, 2024
Block IP address block ....deny ip is not working for some reason Help!	2	1049	July 29, 2023
Block request if host == IP Help!	3	1590	October 5, 2018
Redirect to backend comparing requests and host in a file Help!	4	1310	May 3, 2022

Haproxy acl to block ips and host header

Related Topics