We are busy with setting up HAProxy. Almost everything is working, except setting it up without multiple sites with different acl's.
What we want:
Using HAProxy with multiple sites, all on the same IP, all with the same backends but with different IP Blockings/Username-Password protection.
What we have working:
Get incoming traffic to backend (with an acl to use https instead of http).
The situation without haproxy/varnish:
Now, we are using apache to handle the acl (allow,deny ip's and use username-password protection).
We tried to capture this through X-Forwarded-For inside apache. However, the web servers themselves can no longer communicate with each other. We had to remove the allow role for the subnet (loadbalancer and webserver are in the same subnet). With this allow, apache don't look at the x-forward-header, and will allow all traffic. Without it, the webservers cannot communicate with each other.
Does anyone have an example or mindset for us to get there?
Now: internet->firewall->apache
What we want: internet->firewall->haproxy(ssl offloading)->varnish->apache (haproxy and varnish running on the same machine)
Best Answer
There are a few ways to set this up. The most simple way would probably be with the use of some acls.
Eg.:
Defining the different websites
(I used hrd_end on the host header, so that any subdomain as well as without subdomain would match. You of course need to determine if this is also a desired condition in your case.)
Defining the allowed sources for the sites
Denying all that does not match
(Basically this reads as: deny the request if the request is for the specified site, but is not on the list of allowed IP addresses)