We can use ACL to block IP addresses in HAProxy. This article explains the steps to do so. As part of our Server Management Service, Bobcares provides answers to all of your questions.

ACL IP Blocking in HAProxy

We can use Access Control Lists (ACLs) to block or allow IP addresses from accessing network resources. This is commonly done on routers, firewalls, and other network devices to enhance security and control traffic flow. Let’s look into the steps to use ACL IP blocking in HAProxy:

1. To define an ACL, use the acl keyword followed by a name (e.g., bad_ip), specify src to indicate checking the source IP address, and provide the IP address or subnet in CIDR notation (e.g., acl bad_ip src 10.0.0.100 to block a single IP, or acl bad_subnet src 192.168.1.0/24 to block an entire subnet).

2. There are two main ways to handle requests from blocked IPs:

i. Connection Rejection (TCP Level): Use connection reject in the ACL definition to terminate connections immediately:

ii. HTTP Error Response (HTTP Level): Create a backend returning an error (e.g., 403 Forbidden) and use the use_backend directive to route requests from blocked IPs to this error backend.

3. ACLs can be defined in the global section to apply system-wide rules. Else, we can set them within specified frontend sections to restrict blocking to specific parts of the settings.

For larger IP lists, we can consider creating a separate file and loading it with the acl_file directive for simpler updating.

[Looking for a solution to another query? We are just a click away.]

Conclusion

By using ACLs, companies can enforce security policies, ensuring that only authorized users and processes can access sensitive resources. This article offers the steps from our Tech team to set up IP blocking using ACL in HAProxy.