So today we will work on having correct ACLs but when we are behind a service i.e. Akamai or Cloudflare . Benefits of those services are beyond scope of this post however if you are into CDN cache / security / dDos protection then take a look.
Challenge which we are looking into today is to have appropriate ACLs within our configuration. Usually simple ACL could look like :
# Check restricted network acl restricted_network src 22.214.171.124 # Home network
and this is perfectly valid configuration entry which will work if the client is hitting our server directly. However if we decide to use one of mentioned above solutions ( or any other ) we need to make sure we can still apply our ACLs as source ip will be different. Well no worries – HAproxy is such a versatile load balancer that this is so easy to achieve. We will use here a header being passed from our service provider hiding under X-Forwarded-For which will contain client original IP address
So what I did first was to create a file ( name is arbitrary for demo ) called acl_restricted_network and placed it under /etc/haproxy/acl_restricted_network
Content of this file are IP addresses / networks which I will use in my ACL list and looks as simple as :
Then the last thing to change in our configuration of haproxy is to have this file being checked on desired ACL
acl restricted_network hdr_ip(X-Forwarded-For) -f /etc/haproxy/acl_restricted_network
Now to ease of those of you that are worried about performance here is the quote from one of mailing lists detailing this approach
IP lists loaded from files are stored in binary trees. Even if you load one million prefixes, you should barely notice it under load, as the prefix lookup is cheaper than the header extraction itself.
And voilla 🙂 it works out of hand without any problems 🙂 and is performance friendly !
And if you are looking for more posts about haproxy checkout articles below:
[display-posts category=”haproxy” posts_per_page=”-1″ include_date=”true” order=”ASC” orderby=”title”]