Score:0

select an haproxy tcp back end depending on source ip

de flag

I have basic haproxy knowledge and know how to handle the selection of tcp backends depending on the SNI server name.

The relevant lines are

    acl is_myhost req.ssl_sni -i my.host.com
    acl is_otherhost req.ssl_sni -i other.host.com


    use_backend mybackend if is_myhost
    use_backend otherbackend if is_otherhost

Now I'd like to change them to something that allows me to chose the back end also depending on the source ip but I don't know the exact syntax for below pseudo configuration or whether this is possible at all

    acl is_myhost_for_specif req.ssl_sni -i my.host.com <and source ip = 1.2.3.4>
    acl is_myhost_for_others req.ssl_sni -i my.host.com <and source ip != 1.2.3.4>
    acl is_otherhost req.ssl_sni -i other.host.com


    use_backend mybackend1 if is_myhost_for_specific
    use_backend mybackend2 if is_myhost_for_others
    use_backend otherbackend if is_otherhost

George Y avatar
vn flag
how about asking haproxy directly?
gelonida avatar
de flag
I like the persistence and searchability of questions on SO, thus I tried here first. But yes. sending the question to the haproxy mailing list (`[email protected]`) is another option.
Score:2
ng flag

Your pseudo-code for ACLs is incorrect, because ACL declaration has no syntax for AND/OR logic. Move that to a place, where you use ACL, like in example below.
For source IP there is src (https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.3-src), e.g.:

Please note that the syntax for matching two conditions in an if statement is not

use_backend mybackend if condition1 and condition2

but just

use_backend mybackend if condition1 condition2

acl test_network src 192.168.10.0/24
acl test_network src 192.168.20.0/24
acl is_myhost_for_specif req.ssl_sni -i my.host.com

# both acls must be true (is_myhost **and** test_network)
use_backend mybackend1 if is_myhost test_network
use_backend mybackend2 if is_myhost

Order of use_backend is important, so IPs from test_network go to mybackend1 and others go to mybackend2 if SNI matches. Declaring test_network ACL twice here means "src_ip matches 192.168.10.0/24 OR 192.168.20.0/24"

gelonida avatar
de flag
Thanks. Well I knew my pseudo code is wrong. but fortunately it was good enough to explain my intention. Your answer seems to be **exactly** what I was looking for. I didn't know `test_network src`, I didn't know that acls can contain just one condition and that the if statement can combine acls. Will mark as correct answer as soon as I tested it.
gelonida avatar
de flag
the trick of declaring an acl twice is also very helpful
gelonida avatar
de flag
Finally had time to test your answer. There is a small mistake in the line `use_backend mybackend1 if is_myhost and test_network` which has to be `use_backend mybackend1 if is_myhost test_network` (without the `and`. The `and` is implicit. Thanks again
gelonida avatar
de flag
will mark as correct answer as soon as the answer is corrected (my change request needs approval)
gelonida avatar
de flag
I added another comment to my changes as it seems, that 20 reviewers looked at my changes, but didn't feel comfortable accepting them. I hope my additional comment makes the change easier to understand / accept
gelonida avatar
de flag
perhaps you can apply the change to your answer. The review procedure of my edit request is surprisingly slow for serverfault. Probably because haproxy is not that well known. Without my proposed changes haproxy will complain about an unknown `acl` with the name `and`
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.