I am looking for a way to allow access to certain backends only to certain IP addresses or networks, I am trying to find information that shows/tells how to do this
more info:
I have 10+ backends configured, I have a shared https front end with SSL offloading. I have all the additional certificates added and the Add ACL for certificate subject alternative names checked.
Websites Front end uses the shared https front end has a very simple Access Control List.
name: mysite.com expression:Host Matches value: mysite.com
then bellow in actions:
Action: Use Backend ACL: mysite.com backend: mysite.com
This setup has been great because it ties in nicely with pfsense ACME certificates, previously I did all of this on an nginx reverse proxy, this is much simpler.
On the frontend access control list I am using “Host Matches” but I can see that I could change that to “Source IP matches IP or Alias”
Unfortunately I am not sure how to combine the two.(“Host Matches” AND “Source IP matches IP or Alias”) I have searched google, reddit, and this forum. and there has not been any clear cut examples of how to accomplish this.
My understanding so far is that I would goto the HAProxy main “Settings” tab, scroll to the bottom and add some custom code to the Global Advanced pass thru.
The other problem I am faced with is that most of the IP filtering I have seen appears to use mode: TCP but my front end is using mode: HTTP, so it may not be compatible code…
I REALLY REALLY appreciate any help if anyone can give some pointers, examples, or snippets.