Is there something like Apache "deny from ip" in haproxy?
Asked
Active
Viewed 2.9k times
1 Answers
23
You can drop an IP at the tcp level by creating an ACL and then using connection reject if the ACL is matched:
acl bad_ip src 10.10.10.0
tcp-request connection reject if bad_ip
You could also set up a 403 backend and send them to that if you want to do it at the HTTP level:
frontend foo
...
acl bad_ip src 10.10.10.0
use_backend bad_guy if bad_ip
...
backend bad_guy
mode http
errorfile 403 /etc/haproxy/errors/403.http
These ACLs can be pretty flexible, and you can make it so multiple conditions within an ACL, or multiple ACLs within the action have to be met. More at http://haproxy.1wt.eu/download/1.5/doc/configuration.txt .
Læti
- 2,075
- 21
- 33
Kyle Brandt
- 82,107
- 71
- 302
- 444
-
5You only need a separate backend if you want to use a custom 403 error page. Otherwise, you can get away with "http-request deny if bad_ip" – sh-beta Aug 31 '11 at 16:15
-
1Do you know of way to read the ips from a more flexible store, like db or seperate flat file? – UpTheCreek Mar 30 '13 at 15:03
-
1That backend bad_guy doesn't work as expected, since it has no defined servers, it is considered "down" and will always return 503 - service not available. I just fould you can just write "block if bad_ip" to frontend configuration and it will throw 403 page properly. EDIT: http-request deny if bad_ip works as advertised by @sh-beta - essentially does the same thing, but maybe just for http requests? – Dalibor Filus Jul 25 '13 at 14:20
-
There is another slight difference between block and http-request deny and that's this: "a 'block' rule placed after a 'use_backend' rule will still be processed before." – Dalibor Filus Jul 25 '13 at 14:25
-
2If you give a "bad" guy a 403 then he knows that he is blocked and will look for another Vector. If you give a "bad" guy a 503 ..hen he thinks he successfully caused a DOS and stops the attack.. Course he may figure it out but it will take him a lot longer. – Oct 16 '13 at 05:04
-
How can that be used for many ips? Is it just a comma list? – IanVaughan Dec 15 '16 at 10:25
-
1@IanVaughan you can use the following `acl bad_list src -f /etc/haproxy/some-file-with-ips.list tcp-request connection reject if bad_list – erPe Dec 04 '17 at 10:37