Restricting URLs to an IP range

flea · October 25, 2023, 8:13pm

Hey folks,

I’ve got three web servers balanced by two HAProxy servers that all need to be accessible to anyone on the internet. There’s an admin login page at a separate URL (essentially cloud.domain.com and cloud.domain.com/admin). I’d like that admin page only accessible by people on-prem or on our VPN (basically anyone with a 10...* address) to increase security.

I tried setting that to be true from the web servers themselves, but since all the connections are being made by the HAProxy servers (which sit on the 10...* subnet), it just passes all traffic along.

Has anyone had any experience with this? Thank you in advance

randomguy · October 25, 2023, 9:05pm

You should be able to use something like this. This is only based on the uri but you can write another acl to check the hostname if needed.

http-request deny if { path -i -m beg /admin } !{ src -f /etc/hapee-2.8/whitelist.lst }

:/etc/hapee-2.8$ cat /etc/hapee-2.8/whitelist.lst
17.1.1.1/32
17.1.1.2/32
1.1.0.0/16

flea · October 25, 2023, 10:31pm

That’s worked perfectly, thank you so much!

Topic		Replies	Views
Haproxy acl to block ips and host header Help!	2	2235	December 17, 2020
Cannot restrict traffic, how to http-request deny allow !path \|\| !path2 !networks Help!	1	1477	April 22, 2021
Haproxy acl on ip range with ip from header instead of src Help!	4	2080	January 6, 2021
How do I setup acls to split a server by directory Help!	2	1238	June 13, 2018
HaProxy ACL - internal IP addresses Help!	2	502	March 18, 2021

Restricting URLs to an IP range

Related Topics