Trying to figure out if there is a way to reload a blacklist of ips that HA uses to block without having to do a full reload of HAProxy.
I have many frontends and in all of them is the following:
acl white_list src -f /etc/haproxy/http-request.white
acl abuseipdb src -f /etc/haproxy/abuseipdb-100.black
http-request allow if white_list
http-request deny deny_status 403 if abuseipdb
I pull the abuseipdb list from an external source to keep it up to date, all good but to get that update live I also have to reload HAProxy. I’m hoping there is some way via the API to just reload the contents of this file. Any ideas?
First question, what’s wrong with reloading? On Debian-based systems running HAProxy 2.2+ (maybe 2.0+, but I’d have to look that up to be certain), service haproxy reload will ask HAProxy to reload without interrupting existing connections. I do something very similar with IP lists, and I reload several times a day on a cron without experiencing any issues.
A reload does work and is mostly fine. but we have stick tables too that block on ip counts and those drain on a reload. While not the end of the road it does get a 30s window where those have to build back up after a reload.
Reloading will also reload all servers from your backend definitions ignoring any states (like disabled) as well as reset your statistics. It seems like the data plane api should be able to reload an acl, but not exactly sure how this works.