HAProxy community

Matching IP subnets

First of all I have to thank you for HAProxy. I also want to explain, that this is a crosspost - the other post is here (https://serverfault.com/questions/988721/require-a-http-authentication-only-for-connections-from-outside-my-lan-in-haprox) but didn’t receive an answer yet so I thought I might ask in a community that is more specialised!

My frontend contains these lines to require a HTTP authentication

# Authentication
acl ValidOctoPrintUser http_auth(OctoPrintUsers)
http-request auth realm octoprint if !ValidOctoPrintUser

Now I want this authentication only for connections from outside of my LAN. Inside my LAN access should be granted without authentication.

I succeeded to do this for a single IP address like this:

# Authentication
acl ValidOctoPrintUser http_auth(OctoPrintUsers)
# Exclude internal IPs from Authentication
acl InternalIP src -i
http-request auth realm octoprint if !InternalIP !ValidOctoPrintUser

However, I cannot achieve to do this for a range of IP addresses (like 192.168.0.[100-250] or a little less specific 192.168.0.*).

Can you point me a way to to this? Or is there even a better way to identify requests coming from inside my LAN?

Specify the subnetmask:

acl InternalIP src -i
1 Like

This did indeed work!

Thank you @lukastribus.

Sorry for my lack of understanding, but what does the subnetmask do in this respect or why does it help to specify it? Maybe there is a link that explains it?

Sorry, I don’t know a lot about networks, but I want to learn!

It’s a bitmask, /24 or written in another way indicates which part of the IP address belongs to the network as opposed to the host part.

For example: indicates a network of total 256 addresses from - indicates a network of total 65536 addresses from -

The ACL matching works exactly the same. By specifying a mask you are referring to an entire IP subnet.

Here some more theory about it:

1 Like

great! thank you!