JV didn't get the notification about the reply! I think you're on the right track! Using tcp-request content deny along with tcp-request inspect-delay 5s in HAProxy for TCP mode is a good approach. The inspect delay gives HAProxy time to gather enough data to enforce your rule effectively. I would fine-tune the delay time as needed for the best balance between security and performance. Great job figuring this out!

If you need to block CIDR ranges based on the X-Forwarded-For header in HAProxy, you can accomplish this by setting up ACLs in your HAProxy configuration. Here's a quick guide: Create ACLs for the CIDR ranges you want to block. Place these in the frontend section of your haproxy.cfg . Extract the actual client IP from the X-Forwarded-For header using the hdr() function. Implement blocking by using the http-request deny directive if the IP extracted matches any on your blacklist. Here’s an example snippet: frontend http-in bind *:80 # ACL for blacklisted CIDR ranges acl ip_blacklisted src -f /etc/haproxy/blacklist.lst # Check for X-Forwarded-For header acl xff_ip hdr(x-forwarded-for) -m found # Match the IP against the blacklist acl xff_ip_in_blacklist hdr_ip(x-forwarded-for,1) -f /etc/haproxy/blacklist.lst # Deny requests from blacklisted IPs http-request deny if xff_ip xff_ip_in_blacklist default_backend servers Make sure your blacklist.lst contains the proper CIDR blocks you're aiming to restrict. After updating your configuration, don’t forget to reload HAProxy to apply the changes. This is usually done with sudo systemctl reload haproxy or a similar command depending on your system. Hope this helps!