HAProxy block all IPs except a small collection (alien.top)

submitted 1 year ago by BouncyPancake@alien.top to c/main@selfhosted.forum

2 comments fedilink hide all child comments

frontend main_ssl
        bind *:443
        mode tcp
        option tcplog

        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }


        use_backend cloud_ssl if { req_ssl_sni -i cloud.example.com }
        use_backend rproxy_ssl if { req_ssl_sni -i assets.example.com }
        use_backend rproxy_ssl if { req_ssl_sni -i support.example.com }
        use_backend manage_ssl if { req_ssl_sni -i management.example.com }


backend cloud_ssl
        mode tcp
        balance roundrobin
        server cloud_ssl_server 10.10.5.8:443 check

backend rproxy_ssl
        mode tcp
        balance roundrobin
        server rpoxy_ssl_server 10.10.5.40:443 check

backend manage_ssl
        mode tcp
        balance roundrobin
        server manage_ssl_server 10.10.5.2:443 check

Is it possible to get 'manage_ssl' to block all IP addresses except for a small collection in a file or such?

I know that there is some documentation and quite a few Stack Overflow posts but I seem to be lacking an understanding of the syntax / format that this stuff needs to be in.

and no, I can't just block at the whole proxy level, nor can I do it at the firewall level. The other sites have to be reachable by all users, it's just one domain that needs to be blocked and IPs whitelisted for.

top 2 comments

sorted by: hot top controversial new old

[-] Dizzybro@alien.top 1 points 1 year ago

In your frontend have something like

acl is_whitelisted src -f /etc/hapee-2.6/ipwhitelists/mywhitelist

mywhitelist would contain a cidr or list of cidrs

xxx.xxx.xxx.xxx/32

and then you'd have

use_backend rproxy_ssl if is_whitelisted

[-] BouncyPancake@alien.top 1 points 1 year ago

So I don't need to do an && statment or something ?

I can just do

use_backend manage_ssl if is_whitelisted
use_backend manage_ssl if { req_ssl_sni -i management.example.com }

or would i have to do something like

use_backend manage_ssl if { req_ssl_sni -i management.example.com } && if is_whitelisted

this post was submitted on 24 Oct 2023

2 points (100.0% liked)

Self-Hosted Main

504 readers

1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

Service: Dropbox - Alternative: Nextcloud
Service: Google Reader - Alternative: Tiny Tiny RSS
Service: Blogger - Alternative: WordPress

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

Awesome-Selfhosted List of Software
Awesome-Sysadmin List of Software

founded 1 year ago

MODERATORS

communick@selfhosted.forum