How to block IP addresses in HAProxy?

Question

Is there something like Apache "deny from ip" in haproxy?

score 23 · Accepted Answer · edited Aug 05 '14 at 19:45

23

You can drop an IP at the tcp level by creating an ACL and then using connection reject if the ACL is matched:

    acl bad_ip src 10.10.10.0
    tcp-request connection reject if bad_ip

You could also set up a 403 backend and send them to that if you want to do it at the HTTP level:

frontend foo
        ...
        acl bad_ip src 10.10.10.0
        use_backend bad_guy if bad_ip
...

backend bad_guy
        mode http
        errorfile 403 /etc/haproxy/errors/403.http

These ACLs can be pretty flexible, and you can make it so multiple conditions within an ACL, or multiple ACLs within the action have to be met. More at http://haproxy.1wt.eu/download/1.5/doc/configuration.txt .

edited Aug 05 '14 at 19:45

Læti

2,075
21
33

answered Dec 27 '10 at 17:00

Kyle Brandt

82,107
71
302
444

5

You only need a separate backend if you want to use a custom 403 error page. Otherwise, you can get away with "http-request deny if bad_ip" – sh-beta Aug 31 '11 at 16:15
1

Do you know of way to read the ips from a more flexible store, like db or seperate flat file? – UpTheCreek Mar 30 '13 at 15:03
1

That backend bad_guy doesn't work as expected, since it has no defined servers, it is considered "down" and will always return 503 - service not available. I just fould you can just write "block if bad_ip" to frontend configuration and it will throw 403 page properly. EDIT: http-request deny if bad_ip works as advertised by @sh-beta - essentially does the same thing, but maybe just for http requests? – Dalibor Filus Jul 25 '13 at 14:20
There is another slight difference between block and http-request deny and that's this: "a 'block' rule placed after a 'use_backend' rule will still be processed before." – Dalibor Filus Jul 25 '13 at 14:25
2

If you give a "bad" guy a 403 then he knows that he is blocked and will look for another Vector. If you give a "bad" guy a 503 ..hen he thinks he successfully caused a DOS and stops the attack.. Course he may figure it out but it will take him a lot longer. – Oct 16 '13 at 05:04
How can that be used for many ips? Is it just a comma list? – IanVaughan Dec 15 '16 at 10:25
1

@IanVaughan you can use the following `acl bad_list src -f /etc/haproxy/some-file-with-ips.list tcp-request connection reject if bad_list – erPe Dec 04 '17 at 10:37

How to block IP addresses in HAProxy?

1 Answers1