HAProxy restrict single backend by ip range

StackOverflow https://stackoverflow.com/questions/23342036

  •  11-07-2023
  •  | 
  •  

Question

I have inherited an HAProxy setup with around twenty backend definitions (and little else) in the config file. I have been asked to restrict one of the backends to a specific IP range, but so far my research (and limited HAProxy knowledge) have yielded nothing.

Whilst reading the manual, I have found a network_allowed parameter that would work for a frontend, but I don't seem to have any front end definitions and I don't want to apply this restriction to any of the other proxy routes. Is there anything I can specifically use on a backend to restrict access by IP range?

Thanks, Simon

Was it helpful?

Solution

To have a functional HAProxy setup you would need either 'frontend' or 'listen' directives. These are the only directives that will respond to incoming requests. The 'backend' directive only provides for a way to route traffic behind the proxy.

That being said, here are the entries you need in a 'frontend' or 'listen' directive to accomplish your goals:

acl white_list src 192.168.1.0/24 192.168.10.0/24
tcp-request content accept if white_list
tcp-request content reject

These directives would allow only traffic coming from the 192.168.1/24 and 192.168.10/24 subnets.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top