How do I load an ACL value (src
) from a map (req.hdr
)?
I’m trying to allow/deny traffic from specific IP networks to specific domains, without repeating ACL rules in the HAProxy config, and creating per-domain map files.
This is what I came up with:
acl ip_network_allowed src %[req.hdr(host),lower,map(/etc/haproxy/domain_ip.map)]
tcp-request connection reject if { req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) -m found } ip_network_allowed
… where /etc/haproxy/domain_ip.map
has the format req.hdr
+ space-separated IP networks:
example.com ::1
However, HAProxy apparently does not expect the %[]
syntax there:
error detected while parsing ACL 'ip_network_allowed' : '%[req.hdr(host),lower,map(/etc/haproxy/domain_ip.map)]' is not a valid IPv4 or IPv6 address.
I’m unable to find in which context this syntax is supported.
Why would you need the ACL at all?
What exactly does the tcp-request rule not accomplish here that you need a ACL for ?
tcp-request connection reject if { req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) -m found }
I did play around with that syntax, but got blocked (pun not intended).
To begin with, this is a mode http
frontend, so I used http-request deny
.
Second, I read your rule as rejecting the connection when req.hdr(host)
is present in the map (-m found
). As I want to deny the HTTP request when it is present in the map, and the request IP address is not in the space-separated map value, I tried:
http-request deny if { req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) -m found } !{ req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) }
… but that matches all requests to any domain present in the map.
This is definitely PEBKAC, but I’m getting a bit lost between the starter guide, configuration manual, blog, HAPEE docs and the (new?) configuration tutorials at HAProxy documentation.
You are right, I missed that.
This will require some more tinkering to combine the two conditions, I don’t have a solution at the top of my head.