Matching IP subnets

First of all I have to thank you for HAProxy. I also want to explain, that this is a crosspost - the other post is here (https://serverfault.com/questions/988721/require-a-http-authentication-only-for-connections-from-outside-my-lan-in-haprox) but didn’t receive an answer yet so I thought I might ask in a community that is more specialised!

My frontend contains these lines to require a HTTP authentication

# Authentication
acl ValidOctoPrintUser http_auth(OctoPrintUsers)
http-request auth realm octoprint if !ValidOctoPrintUser

Now I want this authentication only for connections from outside of my LAN. Inside my LAN access should be granted without authentication.

I succeeded to do this for a single IP address like this:

# Authentication
acl ValidOctoPrintUser http_auth(OctoPrintUsers)
# Exclude internal IPs from Authentication
acl InternalIP src -i 192.168.0.123
http-request auth realm octoprint if !InternalIP !ValidOctoPrintUser

However, I cannot achieve to do this for a range of IP addresses (like 192.168.0.[100-250] or a little less specific 192.168.0.*).

Can you point me a way to to this? Or is there even a better way to identify requests coming from inside my LAN?

Specify the subnetmask:

acl InternalIP src -i 192.168.0.0/24

This did indeed work!

Thank you @lukastribus.

Sorry for my lack of understanding, but what does the subnetmask do in this respect or why does it help to specify it? Maybe there is a link that explains it?

Sorry, I don’t know a lot about networks, but I want to learn!

It’s a bitmask, /24 or written in another way 255.255.255.0 indicates which part of the IP address belongs to the network as opposed to the host part.

For example:
10.0.0.0/24 indicates a network of total 256 addresses from 10.0.0.0 - 10.0.0.255.
10.0.0.0/16 indicates a network of total 65536 addresses from 10.0.0.0.0 - 10.0.255.255.

The ACL matching works exactly the same. By specifying a mask you are referring to an entire IP subnet.

Here some more theory about it:

great! thank you!