HAProxy community

TCP with ACL possible?


#1

Hi,

Is it possible to route/proxy mode tcp someway similar to mode http with ACL rules?

We are short on public IP addresses and we want to route the requests to to private IPs depending on the header. I am aware that with the tcp mode we cannot use hdr(host). I am giving the example to visualize it.

Can it be done with a workaround or by any other linux based application?

For example:
mode tcp
option tcplog

bind *:1935

acl host_t01 hdr(host) -i t01.domain.com
acl host_t02 hdr(host) -i t02.domain.com
acl host_t03 hdr(host) -i t03.domain.com

use_backend backend_t01 if host_t01
use_backend backend_t02 if host_t02
use_backend backend_t03 if host_t03

Thanks


#2

You should be able to do this by using “mode http” on the frontend and “mode tcp” on the backend.


#3

I’m about 2.5 years late to the party, and maybe things have changed since this question was asked - but YES!!! IT IS POSSIBLE!

I have an use-specific example config, it may give someone a good idea of how to abuse ACLs with tcp. It’s on a third party site, hope I don’t get whacked for it: https://www.spigotmc.org/threads/obscure-corner-for-obscure-conf-file.345414/


#4

It’s using static offsets, which is for a specific client in a specific software release. While this works for the use-case in that forum (content-switching certain specific mining clients I guess), it cannot generally work with browsers.