IP whiteList does not seems to work

It seems that the whistelist is not working as expected for
haproxy -V
HA-Proxy version 2.0.13-2ubuntu0.1 2020/09/08 - https://haproxy.org/

the setup is the following in haproxy.cfg

acl Whitelist src -f /etc/haproxy/Whitelist.acl
http-request allow if Whitelist

i tried different version of the file with with no success :
haproxy[6696]: 66.249.70.86:47620 [27/Feb/2021:10:51:32.539] webfront~ dynamic/vm028 0/0/0/2/2 403 2684 … “GET / HTTP/1.1”
haproxy[6696]: 66.249.64.63:36109 [27/Feb/2021:10:51:32.490] webfront~ dynamic/vm028 0/0/0/2/2 403 2739 … “GET / HTTP/1.1”

i can access the file
haproxy[6696]: myIP:52597 [27/Feb/2021:11:22:37.249] webfront~ dynamic/vm028 0/0/2/4/6 200 4433 ... "GET / HTTP/1.1"

first i tried
cat /etc/haproxy/Whitelist.acl
66.249.64.0/19

for the following range
NetRange: 66.249.64.0 - 66.249.95.255
CIDR: 66.249.64.0/19

then we tried

cat /etc/haproxy/Whitelist.acl
66.249.64.0/24
66.249.65.0/24
66.249.66.0/24
66.249.68.0/24
66.249.69.0/24
66.249.70.0/24
66.249.71.0/24
66.249.72.0/24
66.249.73.0/24
66.249.74.0/24
66.249.75.0/24
66.249.76.0/24
66.249.77.0/24
66.249.78.0/24
66.249.79.0/24
66.249.80.0/24
66.249.81.0/24
66.249.82.0/24
66.249.83.0/24
66.249.84.0/24
66.249.85.0/24
66.249.86.0/24
66.249.87.0/24
66.249.88.0/24
66.249.89.0/24
66.249.90.0/24
66.249.91.0/24
66.249.92.0/24
66.249.93.0/24
66.249.94.0/24
66.249.95.0/24

Any help would be very appreciated
Thanks

I’m also facing this kind of bug.

Please provide the full configuration.

Both Back-end(BE1,BE2) server are Nginx server with modSecurity on their lvl, but nothing regarding bots.
i even tried with inline config file definition but with no luck

Here is the full config and the whitelistfile

haproxy config

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
	tune.ssl.default-dh-param 2048
	ssl-server-verify none

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend webfront
	bind	        [IP]:80
    bind            [IP]:443 ssl crt /etc/haproxy/ssl/xxxx/ssl.pem

    http-request redirect scheme https unless { ssl_fc }

    mode            http
    log             global
    option          httplog
    option          dontlognull
    monitor-uri     /monitoruri
    maxconn         8000
    timeout client  30s

    # ACL definitions
	acl restricted_page path_beg /webcms/
	acl Whitelist src -f /etc/haproxy/Whitelist-cms.acl
	acl exceeds_rate_limit sc_gpc0_rate(0) gt 15
	acl exceeds_limit sc_http_req_rate(1,per_ip_rates_on_24) gt 400
	acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
    acl WhitelistAgent src -f /etc/haproxy/Whitelist-agent.acl
    acl badguys src -f /etc/haproxy/badguys.txt
    acl IsResource path_end .css .js .png .jpeg .gif .ico


	http-request allow if WhitelistAgent
    http-request allow if Whitelist restricted_page
    http-request deny if badguys
	http-request deny if blockedagent

	# track client's source IP in per_ip_rates stick table
    http-request track-sc0 src table per_ip_rates unless IsResource

    # Increment general-purpose counter in per_ip_rates if client
    # is visiting page for the first time (sc_http_req_rate take a sc number as input)
    http-request sc-inc-gpc0(0) if { sc_http_req_rate(0,per_ip_rates) eq 1 }
	# Deny requests if over the rate limit
	http-request deny deny_status 429 if exceeds_rate_limit

    # track client's source IP accessed in
  	http-request track-sc1 src table per_ip_rates_on_24  unless IsResource
    # Deny requests if over the daily rate limit
    http-request deny deny_status 429 if exceeds_limit

	default_backend dynamic


backend dynamic
        mode            http
        balance         roundrobin
        retries         2
        option redispatch
        timeout connect 5s
        timeout server  30s
        timeout queue   30s
        option httpchk  HEAD /
        cookie          SERVERID insert indirect nocache
        fullconn        4000 # the servers will be used at full load above this number of connections
        server          bk1 BIP1:443 check cookie s1 maxconn 2000 ssl
        server          bk2 BIP2:443 check cookie s2 maxconn 2000 ssl
      


backend per_ip_rates
    stick-table type ip size 1m expire 24h store gpc0,gpc0_rate(30s)

backend per_ip_rates_on_24
    stick-table type ip size 100k expire 24h store http_req_rate(24h)


# HAProxy web ui
listen stats
        bind 0.0.0.0:20936
        mode http
        log global

        maxconn 10
        timeout client 100s
        timeout server 100s
        timeout connect 100s
        timeout queue 100s

        stats enable
        stats uri /haproxy?stats
        stats realm HAProxy\ Statistics
        stats admin if TRUE
        stats show-node

Whitelist-agent.acl

66.249.64.0/19
13.66.139.0/24
64.68.90.1/24
40.77.167.0/24
13.66.139.0/24
157.55.39.0/24

well deactivating ModSecurity in the backend resolve the issue. This was not a problem of Haproxy

1 Like