HAProxy Deny Ip

The OpenShift forums have been retired.
You can still read and search them, but for help, please post a question on Stack Overflow.

I am trying to block malicious ips from our site in the haproxy config.

listen express xxxxx:8080
    cookie GEAR insert indirect nocache
    option httpchk GET /
    balance leastconn
    server  filler xxxx:8080 backup
    server local-gear xxxx:8080 maxconn 2 check fall 2 rise 3 inter 2000 cookie local-xxxx
 
acl bad_range1 src 199.19.0.0/16
    acl bad_range2 src 195.130.0.0/16
    acl bad_range3 src 150.70.0.0/16
    acl test1 src $my_ip
    http-request deny if bad_range1
    http-request deny if bad_range2
    http-request deny if bad_range3
    http-request deny if test1

Stil when i put my ip into the test1 section, i can still access my app, what am i doing wrong?

Regards

Honestly I am not sure if this is possible so I am checking with an SME. One question though, have to restarted the app after your changes to haproxy config?

[ Deleted - just realized my update wasn't helpful. Will look for another option. ]

The front-end Apache server passes the X-Forwarded-For through and adds the IP address of the host which contacted it. It also places the same IP address in X-Client-IP.

You can use either X-Forwarded-For or X-Client-IP for an ACL filter. http://cbonte.github.io/haproxy-dconv/configuration-1.4.html#7-hdr_ip

Ex: acl bad_range1 hdr_ip(X-Forwarded-For) 199.19.0.0/16

Side note, X-Forwarded-For is reasonably safe for filtering addresses you don't want to contact but it is not safe for accepting addresses you do want to contact. Any upstream source (including a malevolent client) can insert an IP address into the header in addition to the one the front-end Apache adds.

@sannam just restarting haproxy (by killing the pid and reexcuting) was sufficient. No need to restart the app itself.

@rmillner

Thanks!

This works as expected! Right now i am configuring this directly in the haproxy.cfg file. Are there any plans on making the proxy config available from the .openshift folder?

rgrds and thanks for the help!

Thanks Tim! Can you raise a feature request for the latter part?