PFsense custom acl whitelist IP alias backend specific block reject others

I am looking for a way to allow access to certain backends only to certain IP addresses or networks, I am trying to find information that shows/tells how to do this

more info:
I have 10+ backends configured, I have a shared https front end with SSL offloading. I have all the additional certificates added and the Add ACL for certificate subject alternative names checked.

Websites Front end uses the shared https front end has a very simple Access Control List.

name: mysite.com expression:Host Matches value: mysite.com

then bellow in actions:

Action: Use Backend ACL: mysite.com backend: mysite.com

This setup has been great because it ties in nicely with pfsense ACME certificates, previously I did all of this on an nginx reverse proxy, this is much simpler.

On the frontend access control list I am using “Host Matches” but I can see that I could change that to “Source IP matches IP or Alias”

Unfortunately I am not sure how to combine the two.(“Host Matches” AND “Source IP matches IP or Alias”) I have searched google, reddit, and this forum. and there has not been any clear cut examples of how to accomplish this.

My understanding so far is that I would goto the HAProxy main “Settings” tab, scroll to the bottom and add some custom code to the Global Advanced pass thru.

The other problem I am faced with is that most of the IP filtering I have seen appears to use mode: TCP but my front end is using mode: HTTP, so it may not be compatible code…

I REALLY REALLY appreciate any help if anyone can give some pointers, examples, or snippets.

Thank you @daruom13 Works like a charm. I did not realize you could specify more than one ACL below in the action group like that.

with pleasure. I also had some problem on this part when I started with HaProxy.

1 Like

For anyone else that finds this post looking for the solution here is the basics

On your frontends define more than one ACL such as:

host1           host matches:                      host1.example.com
adminIPs        Source IP matches Ip or Alias:     111.222.333.444

In the above we have two ACLs: host1 and adminIPs, for the adminIPs you can reference a pfsense alias instead of hard coding an IP if you need it to apply to more than one IP.

now below for the Action:

action: Use Backend
acl names: adminIPs host1
backend: host1.example.com

by defining both ACLs it should only forward to the backend if both acls are true.