Allow permitted ip to access url using HAProxy

user35072

11/12/22, 7:41 PM

I'm using pfsense with HAProxy package. Using simple rule i would like to only allow access to a website if the IP is in the allow list.

For some reason im always getting a 404 response and cannot access the webpage. My public IP was obtained from here for testing: https://whatismyipaddress.com/

Any ideas what could be wrong with my access rules?

Here's the generated config:

frontend Shared-merged
bind            111.111.111.111:443 name 111.111.111.111:443   ssl crt-list /var/etc/haproxy/Shared.crt_list  
mode            http
log         global
option          http-keep-alive
option          forwardfor
acl https ssl_fc
http-request set-header     X-Forwarded-Proto http if !https
http-request set-header     X-Forwarded-Proto https if https
timeout client      30000
acl         aclcrt_Shared   var(txn.txnhost) -m reg -i ^([^\.]*)\.example\.com(:([0-9]){1,5})?$
acl         aclcrt_Shared   var(txn.txnhost) -m reg -i ^example\.com(:([0-9]){1,5})?$
acl         ACL1    var(txn.txnhost) -m str -i site1.example.com
acl         ACL2    var(txn.txnhost) -m str -i site2.example.com
acl         AllowedIps  src 111.111.111.111
acl         MatchDomain var(txn.txnhost) -m str -i site3.example.com
http-request set-var(txn.txnhost) hdr(host)
http-request deny deny_status 404  if  !AllowedIps  MatchDomain 
use_backend site1_ipvANY  if  ACL1 
use_backend site2_ipvANY  if  ACL2 
use_backend site3_ipvANY  if  MatchDomain AllowedIps

337

0 + 1

reverse-proxy

haproxy

pfsense

tbielaszewski

11/13/22, 4:27 PM

This config looks incomplete, `txn.txnhost` is never set here. Where does it come from? Also you bind to 111.111.111.111 and your `AllowedIps` is source 111.111.111.111, so you allow only your own host. Also `MatchDomain` checks `txn.txnhost` against `site3.example.com`. Also using your Public IP obtained from that web service may be incorrect if this haproxy is in your private network.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow permitted ip to access url using HAProxy

TH: อนุญาตให้ ip เข้าถึง url โดยใช้ HAProxy

RO: Permiteți ip-ului permis să acceseze adresa URL folosind HAProxy

RU: Разрешить разрешенному IP-адресу доступ к URL-адресу с помощью HAProxy

VI: Cho phép ip được phép truy cập url bằng HAProxy

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.