Help about Haproxy control list, how can allow only some specific links to pass haproxy server


#1

Help about Haproxy control list, how can allow only some specific links to pass haproxy server
Dear all, I have a domain whitelist file, which includes around 200 links. The whitelist looks like:

facebook.com
google.com




bbc.com

I want to create a acl control list to only allow the domains in the whitelist to pass my server. At present, I tried the config file, but unfortunately it doesnt work as expected:

default_backend b_deadend_http
use_backend http_ok if { hdr_beg(host) -f /etc/haproxy/white.lst }

I’m not sure what’s wrong, does the whitelist file require any special format? or the acl rule is problematic?

Any tips will be appreciated.


#2

Are you hosting facebook, Google and Amazon? Probably not. But your configuration checks the Host header.

It does not check the HTTP body for links and replaces them, is that what you want? Haproxy cannot do that afaik (unless there is something that can be done with LUA, I’m not sure).


#3

Dear lukastribus,
Thanks for your kind response.

I’m not hosting facebook, goolge or Amazon. I wanna to use Haproxy as a reverse proxy server.

So I want the Haproxy allows only some specific domains in the whitelist to pass my server. As I have more than 200 domains, if I add all the domains to haproxy.cfg, it would be not convenient to maintain them. I want to creat a whitelist file, such as, whitelist.lst, and put all the domains into the file.

In the config file haproxy.cfg, I wanna use one acl rule to filter requests, such as:

use_backend http_ok if { hdr_beg(host) -f /etc/haproxy/white.lst }

The current problem is that I dont know how to prepare the white.lst file, is it okay to just put the domains into a text file, like:

#--------start------------
acebook.com
google.com




bbc.com
#--------end------------

Does the whitelist file require any special format?


#4

Just specify one domain per line, as you did above. No special formatting needed.

I’m still not sure what you want to achieve though.


#5

Dear lukastribus,
Thanks, I will test it ASAP.