Redirect to backend comparing requests and host in a file

Help!
1

Hi, I have a file, /etc/haproxy/deny_hosts.txt,antiddos

I want to have a first acl:
acl acl_antiddos hdr(Host),map_dom(/etc/haproxy/deny_hosts.txt,antiddos) -m found
use_backend antiddos if acl_antiddos

if a host exists in denyhosts.txt, the frontend forwards to the backend antiddos.

But it isn’t working:


frontend www-h2-https
  mode http
  maxconn 40000
  bind *:443 accept-proxy ssl crt /opt/certs alpn h2,http/1.1
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

  # acl
  acl acl_antiddos hdr(Host),map_dom(/etc/haproxy/deny_hosts.txt,antiddos) -m found
  acl acl_panel_h2 hdr(host) -m reg -i ^app.[^\.]*\.com\.br$ ^app-[^\.].[^\.]*\.com\.br$ !^api.[^\.]*\.com\.br$ !^api-[^\.].[^\.]*\.com\.br$
  acl acl_api_h2 hdr(Host) -m reg -i ^api.[^\.]*\.com\.br$ ^api-[^\.].[^\.]*\.com\.br$ !^app\.[^\.]*\.com\.br$ !^app-[^\.].[^\.]*\.com\.br$
  acl acl_store_h2 hdr(Host) -m reg -i ^[^\.]+\.lojaintegrada\.com\.br$ !^app\.[^\.]*\.com\.br$ !^app-[^\.].[^\.]*\.com\.br$ !^api.[^\.]*\.com\.br$ !^api-[^\.].[^\.]*\.com\.br$
  
  #### Only add IP to table #####
  http-request track-sc0 src table stores-h2-backend 
  http-request track-sc1 src table panel-h2-backend if acl_panel_h2
  #### Block IP based on req/s in each table ####
  # Limit 5 req/s, table stores number of requests over 10 seconds, limit arrow to 50.
  # for i in {0..30}; do  curl  -s -o /dev/null  -w "%{http_code}\n" "https://DOMINIO" | ts ; done
  # Throttling IP.
  http-request deny deny_status 429 if { sc_http_req_rate(0,stores-h2-backend) gt 50 } or { sc_http_req_rate(1,panel-h2-backend) gt 50 }

  # redirect
  # Backend AntiDDoS
  use_backend antiddos if acl_antiddos
  #
  use_backend api-h2-backend     if acl_api_h2
  use_backend panel-h2-backend   if acl_panel_h2

  # send to http2 backend if speaks alpn
  use_backend stores-h2-backend if { ssl_fc_alpn -i h2 } or  acl_store_h2
  # or send to default backend
  default_backend store-backend

Can someone help me?

2

Not sure you are using the right config.

map_dom expect a map file with domain and backend to use.

If your file is just a list of domain, you can try to write your acl like

acl acl_antiddos hdr(Host) -f /etc/haproxy/deny_hosts.txt,antiddos
use backend antiddos if acl_antiddos
3

Hi, thank you for your help.
I’ve tried it but I get this error:

[ALERT] (2180) : parsing [/etc/haproxy/haproxy.cfg:124] : error detected while parsing ACL 'acl_antiddos' : failed to open pattern file </etc/haproxy/deny_hosts.txt,antiddos>.

/etc/haproxy/deny_hosts.txt:
www.vanessamello.test.com antiddos

How does the file must be written?

4

OK,

So it looks like your file is a map file. If you want all domains redirected to the same backend, i would go with a file acl (just need to delete the 2nd column in your file).

If you really want to go with map file you can have a look here https://www.haproxy.com/fr/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/

And try something like this :

use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/deny_hosts.txt,antiddos)]

It looks like when you are using a map file, there is no need to define an acl. Be careful that antiddos is set as default value so if there is no match, this is the backend that will get the request.

1 Like
5

I almost did the same:

use_backend %[req.hdr(host),lower,map_dom(/etc/haproxy/deny_hosts.txt,default)]

I make a list mapping domain x backend antiddos and if the domain is not appearing in the list, I redirect to default.

Thank you for your help.