It seems that the whistelist is not working as expected for
haproxy -V
HA-Proxy version 2.0.13-2ubuntu0.1 2020/09/08 - https://haproxy.org/
the setup is the following in haproxy.cfg
acl Whitelist src -f /etc/haproxy/Whitelist.acl
http-request allow if Whitelist
i tried different version of the file with with no success :
haproxy[6696]: 66.249.70.86:47620 [27/Feb/2021:10:51:32.539] webfront~ dynamic/vm028 0/0/0/2/2 403 2684 … “GET / HTTP/1.1”
haproxy[6696]: 66.249.64.63:36109 [27/Feb/2021:10:51:32.490] webfront~ dynamic/vm028 0/0/0/2/2 403 2739 … “GET / HTTP/1.1”
i can access the file
haproxy[6696]: myIP:52597 [27/Feb/2021:11:22:37.249] webfront~ dynamic/vm028 0/0/2/4/6 200 4433 ... "GET / HTTP/1.1"
first i tried
cat /etc/haproxy/Whitelist.acl
66.249.64.0/19
for the following range
NetRange: 66.249.64.0 - 66.249.95.255
CIDR: 66.249.64.0/19
then we tried
cat /etc/haproxy/Whitelist.acl
66.249.64.0/24
66.249.65.0/24
66.249.66.0/24
66.249.68.0/24
66.249.69.0/24
66.249.70.0/24
66.249.71.0/24
66.249.72.0/24
66.249.73.0/24
66.249.74.0/24
66.249.75.0/24
66.249.76.0/24
66.249.77.0/24
66.249.78.0/24
66.249.79.0/24
66.249.80.0/24
66.249.81.0/24
66.249.82.0/24
66.249.83.0/24
66.249.84.0/24
66.249.85.0/24
66.249.86.0/24
66.249.87.0/24
66.249.88.0/24
66.249.89.0/24
66.249.90.0/24
66.249.91.0/24
66.249.92.0/24
66.249.93.0/24
66.249.94.0/24
66.249.95.0/24
Any help would be very appreciated
Thanks
I’m also facing this kind of bug.
Please provide the full configuration.
Both Back-end(BE1,BE2) server are Nginx server with modSecurity on their lvl, but nothing regarding bots.
i even tried with inline config file definition but with no luck
Here is the full config and the whitelistfile
haproxy config
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend webfront
bind [IP]:80
bind [IP]:443 ssl crt /etc/haproxy/ssl/xxxx/ssl.pem
http-request redirect scheme https unless { ssl_fc }
mode http
log global
option httplog
option dontlognull
monitor-uri /monitoruri
maxconn 8000
timeout client 30s
# ACL definitions
acl restricted_page path_beg /webcms/
acl Whitelist src -f /etc/haproxy/Whitelist-cms.acl
acl exceeds_rate_limit sc_gpc0_rate(0) gt 15
acl exceeds_limit sc_http_req_rate(1,per_ip_rates_on_24) gt 400
acl blockedagent hdr_sub(user-agent) -i -f /etc/haproxy/blacklist.agent
acl WhitelistAgent src -f /etc/haproxy/Whitelist-agent.acl
acl badguys src -f /etc/haproxy/badguys.txt
acl IsResource path_end .css .js .png .jpeg .gif .ico
http-request allow if WhitelistAgent
http-request allow if Whitelist restricted_page
http-request deny if badguys
http-request deny if blockedagent
# track client's source IP in per_ip_rates stick table
http-request track-sc0 src table per_ip_rates unless IsResource
# Increment general-purpose counter in per_ip_rates if client
# is visiting page for the first time (sc_http_req_rate take a sc number as input)
http-request sc-inc-gpc0(0) if { sc_http_req_rate(0,per_ip_rates) eq 1 }
# Deny requests if over the rate limit
http-request deny deny_status 429 if exceeds_rate_limit
# track client's source IP accessed in
http-request track-sc1 src table per_ip_rates_on_24 unless IsResource
# Deny requests if over the daily rate limit
http-request deny deny_status 429 if exceeds_limit
default_backend dynamic
backend dynamic
mode http
balance roundrobin
retries 2
option redispatch
timeout connect 5s
timeout server 30s
timeout queue 30s
option httpchk HEAD /
cookie SERVERID insert indirect nocache
fullconn 4000 # the servers will be used at full load above this number of connections
server bk1 BIP1:443 check cookie s1 maxconn 2000 ssl
server bk2 BIP2:443 check cookie s2 maxconn 2000 ssl
backend per_ip_rates
stick-table type ip size 1m expire 24h store gpc0,gpc0_rate(30s)
backend per_ip_rates_on_24
stick-table type ip size 100k expire 24h store http_req_rate(24h)
# HAProxy web ui
listen stats
bind 0.0.0.0:20936
mode http
log global
maxconn 10
timeout client 100s
timeout server 100s
timeout connect 100s
timeout queue 100s
stats enable
stats uri /haproxy?stats
stats realm HAProxy\ Statistics
stats admin if TRUE
stats show-node
Whitelist-agent.acl
66.249.64.0/19
13.66.139.0/24
64.68.90.1/24
40.77.167.0/24
13.66.139.0/24
157.55.39.0/24
well deactivating ModSecurity in the backend resolve the issue. This was not a problem of Haproxy
1 Like