Bobcares

Step-by-Step Guide: HAProxy ACLs with CIDR

by | Jul 24, 2024

Learn how to configure HAProxy ACLs with CIDR. Our HAProxy Support team is here to help you with your questions and concerns.

Step-by-Step Guide: HAProxy ACLs with CIDR

Step-by-Step Guide: HAProxy ACLs with CIDRIn HAProxy, Access Control Lists are a handy tool for filtering traffic as per IP addresses using CIDR notation.

This helps allow or deny access from specific IP ranges. Today, we are going to take a look at how to configure and use ACLs with CIDR in HAProxy.

An ACL in HAProxy is a rule that defines a condition for matching traffic. We can define them within the frontend or backend sections of the HAProxy configuration file.

acl acl_name condition

Then, we can use these ACLs to allow or deny traffic using directives like http-request allow or http-request deny.

Blocking IPs with CIDR: An Example

Here’s a step-by-step example to demonstrate how to block traffic from a specific IP range using CIDR notation.

  1. In the frontend section:

    frontend http-in
    bind *:80
    # Define ACL to match a specific CIDR range
    acl blocklist src 192.168.1.0/24
    # Use the ACL to deny requests from the specified IP range
    http-request deny if blocklist
    # Default backend
    default_backend servers

    Here. the blocklist ACL matches any source IP (indicated by src) within the 192.168.1.0/24 range. Also, the “http-request deny if blocklist” directive blocks requests from IPs matching the blocklist ACL.

  2. In the backend section:

    backend servers
    server server1 192.168.2.2:80 check
    server server2 192.168.2.3:80 check

Advanced ACL Usage

We can create more complex ACLs by combining multiple conditions or using different criteria.

  • Combining ACLs

    We can combine multiple ACLs using logical operators (e.g., `and`, `or`).

    acl allowed_networks src 10.0.0.0/8 192.168.0.0/16
    acl allowed_ports dst_port 80 443
    http-request deny if !allowed_networks or !allowed_ports

    Here,

    • allowed_networks: Matches source IPs within the specified ranges.
    • allowed_ports: Matches destination ports 80 or 443.
    • It denies requests if the source IP is not in `allowed_networks` or the destination port is not in `allowed_ports`.
  • Logging and Monitoring

    Additionally, we can use HAProxy’s logging capabilities to monitor ACL actions.

    frontend http-in
    bind *:80
    acl blocklist src 192.168.1.0/24
    http-request deny if blocklist
    http-request set-log-level info if blocklist
    http-request set-var(txn.blocked) str("blocked") if blocklist
    default_backend servers

    Here, HAProxy logs the request and sets a transaction variable when a request is denied by the ACL.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

By using ACLs with CIDR in HAProxy, you can easily manage and secure traffic to our applications based on IP ranges.

In brief, our Support Experts demonstrated how to configure HAProxy ACLs with CIDR.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.