TCP with ACL possible?

Hi,

Is it possible to route/proxy mode tcp someway similar to mode http with ACL rules?

We are short on public IP addresses and we want to route the requests to to private IPs depending on the header. I am aware that with the tcp mode we cannot use hdr(host). I am giving the example to visualize it.

Can it be done with a workaround or by any other linux based application?

For example:
mode tcp
option tcplog

bind *:1935

acl host_t01 hdr(host) -i t01.domain.com
acl host_t02 hdr(host) -i t02.domain.com
acl host_t03 hdr(host) -i t03.domain.com

use_backend backend_t01 if host_t01
use_backend backend_t02 if host_t02
use_backend backend_t03 if host_t03

Thanks

You should be able to do this by using “mode http” on the frontend and “mode tcp” on the backend.

I’m about 2.5 years late to the party, and maybe things have changed since this question was asked - but YES!!! IT IS POSSIBLE!

I have an use-specific example config, it may give someone a good idea of how to abuse ACLs with tcp. It’s on a third party site, hope I don’t get whacked for it: https://www.spigotmc.org/threads/obscure-corner-for-obscure-conf-file.345414/

It’s using static offsets, which is for a specific client in a specific software release. While this works for the use-case in that forum (content-switching certain specific mining clients I guess), it cannot generally work with browsers.

Yes, but I was answering tge question as asked. And since this was one of the very first results I found when looking to solve my issue, I felt it prudent to add my solution in case others find this thread while looking for something more similar to what I needed.

Thank you for pointing out that this is not a general-use solution, in case oyhers missed that :smiley:

your rules did not work for me :slight_smile: do you have any idea? I’m in a DMZ network, that want to proxy some request to a tcp backend and route the tcp traffic based on subdomain or host header .

####### start of tcp acl ###########

acl db_backyard req.payload(5,16) -m sub db.backyard.xxxxx.com
tcp-request content accept if db_backyard
use_backend bk_db_datyar if db_backyard

backend bk_db_datyar
mode tcp
server a 192.168.66.21:32127

##########################################