1

HAproxy – ACL on X-Forwarded-For

HeyYo,

So today we will work on having correct ACLs but when we are behind a service i.e. Akamai or Cloudflare . Benefits of those services are beyond scope of this post however if you are into CDN cache / security / dDos protection then take a look.

Challenge which we are looking into today is to have appropriate ACLs within our configuration. Usually simple ACL could look like :

	  # Check restricted network
	  acl restricted_network src 90.80.70.60 # Home network

 

and this is perfectly valid configuration entry which will work if the client is hitting our server directly. However if we decide to use one of mentioned above solutions ( or any other ) we need to make sure we can still apply our ACLs as source ip will be different. Well no worries – HAproxy is such a versatile load balancer that this is so easy to achieve. We will use here a header being passed from our service provider hiding under X-Forwarded-For which will contain client original IP address

So what I did first was to create a file ( name is arbitrary for demo ) called acl_restricted_network and placed it under /etc/haproxy/acl_restricted_network

Content of this file are IP addresses / networks which I will use in my ACL list and looks as simple as :

1.2.3.4/32
5.6.7.8/32

 

Then the last thing to change in our configuration of haproxy is to have this file being checked on desired ACL

    acl restricted_network hdr_ip(X-Forwarded-For) -f /etc/haproxy/acl_restricted_network

 

Now to ease of those of you that are worried about performance here is the quote from one of mailing lists detailing this approach

IP lists loaded from files are stored in binary trees. Even if you load one million prefixes, you should barely notice it under load, as the prefix lookup is cheaper than the header extraction itself.

 

And voilla 🙂 it works out of hand without any problems 🙂 and is performance friendly !

 

And if you are looking for more posts about haproxy checkout articles below:

[display-posts category=”haproxy” posts_per_page=”-1″ include_date=”true” order=”ASC” orderby=”title”]

 

rafpe

One Comment

  1. Thanks!!! this info was very helpful for me! I’ve been looking this kind of configuration. It made me crazy until i found your blog and it works correctly

Leave a Reply

Your email address will not be published. Required fields are marked *