Haproxy acl – accept only from specific IPs

access-control-listhaproxy

I've got haproxy and need to provide smtp to servers which does not have direct connection.

Here is portion of my config:

listen smtp     10.12.23.10:3025
    mode tcp
    server smtp     172.30.33.12:25
    #tcp-request inspect-delay 2s
    acl white_list src 10.146.5.247 10.146.5.201
    tcp-request content accept if white_list
    tcp-request content reject

Any attempt to connect to the port are rejected. If I remove line tcp-request content reject – works for everyone, but haproxy by default accepts everything.
What is correct way of letting in only two or more servers in?

I've tried following lines as well:

tcp-request content reject unless whitelist
tcp-request content reject if !whitelist

I have haproxy 1.4.18, if helps.

Best Answer

The con below works as expected for me on haproxy 1.4.15.

listen smtp   :3025
    mode tcp
    server smtp  192.168.1.2:25
    acl white_list src 127.0.0.1 192.168.1.205
    tcp-request inspect-delay 2s
    tcp-request content accept if white_list
    tcp-request content reject

You can even remove the inspect delay line, but the clients would be rejected after the "timeout connect".

listen smtp   :3025
    mode tcp
    server smtp  192.168.1.2:25
    acl white_list src 127.0.0.1 192.168.1.205
    timeout connect 1s
#    tcp-request inspect-delay 2s
    tcp-request content accept if white_list
    tcp-request content reject

Related Solutions

Haproxy ACL for balance on URL request

I don't know if it is an actual issue, but you don't need to escape slashes in HAProxy's regexes. Also, in your stated case, you don't even need regexes but can use simple string matchers. They are magnitudes faster than regexes. So your ACLs could look like this:

acl msg-url-3 url_beg /path/mail/
acl msg-url-4 url_beg /path/wazap/

If no server is available in a dispatched backend, HAProxy will return an HTTP 503 response. You can use errorloc or errorfile to customize the response.

But it could be that I slightly misunderstood your issue. It's not very clear what exactly is not working as expected.

Using HAProxy, matching root URL only in ACL

The answer to this was astoundingly simple of course. The ACL needed to regex match ^$|^/$|^/articles|^/blogs

Below is my conf:

global
  pidfile  /var/run/haproxy.pid
  quiet
  daemon

defaults
  mode  http
  option  httplog
  option  dontlognull
  option http-server-close
  retries 1
  maxconn 1024
  contimeout  15000
  clitimeout  60050
  srvtimeout    1200000

frontend www
  bind :80

  acl is_for_server2 path_reg ^$|^/$|^/articles|^/blogs

  use_backend server2 if is_for_server2

  default_backend server1

backend server1
  option forwardfor
  server server1 10.0.8.1 maxconn 1500

backend server2
  option forwardfor
  server server2 10.0.8.2 maxconn 1500

Best Answer

Related Solutions

Haproxy ACL for balance on URL request

Using HAProxy, matching root URL only in ACL

Related Topic