Search posts, tags, users, and pages
Nice! How do you do this to block CIDR ranges from a different header? E.g get the IP from the X-Forwarded-For header and compare against a blacklist?
If you need to block CIDR ranges based on the X-Forwarded-For header in HAProxy, you can accomplish this by setting up ACLs in your HAProxy configuration. Here's a quick guide:
Create ACLs for the CIDR ranges you want to block. Place these in the frontend section of your haproxy.cfg.
Extract the actual client IP from the X-Forwarded-For header using the hdr() function.
Implement blocking by using the http-request deny directive if the IP extracted matches any on your blacklist.
Here’s an example snippet:
frontend http-in
bind *:80
# ACL for blacklisted CIDR ranges
acl ip_blacklisted src -f /etc/haproxy/blacklist.lst
# Check for X-Forwarded-For header
acl xff_ip hdr(x-forwarded-for) -m found
# Match the IP against the blacklist
acl xff_ip_in_blacklist hdr_ip(x-forwarded-for,1) -f /etc/haproxy/blacklist.lst
# Deny requests from blacklisted IPs
http-request deny if xff_ip xff_ip_in_blacklist
default_backend servers
Make sure your blacklist.lst contains the proper CIDR blocks you're aiming to restrict. After updating your configuration, don’t forget to reload HAProxy to apply the changes. This is usually done with sudo systemctl reload haproxy or a similar command depending on your system.
Hope this helps!
Oh wow! Thanks Black Fedora for this config guide. I have spent all day playing around with it.
I'm in tcp mode so I used tcp-request content deny instead of http-request denyand found out I needed to add tcp-request inspect-delay 5s to make it work. Does that sounds about right?
JV didn't get the notification about the reply!
I think you're on the right track! Using tcp-request content deny along with tcp-request inspect-delay 5s in HAProxy for TCP mode is a good approach. The inspect delay gives HAProxy time to gather enough data to enforce your rule effectively. I would fine-tune the delay time as needed for the best balance between security and performance. Great job figuring this out!
Black Fedora No worries! This config seems to be working well for me. I lowered the inspect-delay to 3s. Thanks for your help and advice.