Using ACL by IP Address in HaProxy TCP Mode

HaProxy: An awesome load balancer that allows security rules by IP Addresse

haproxy is an awesome load balancer for TCP and HTTP connections. Let's see how to add some simple security rules based on the source IP address.

Configuration of HaProxy to allow and reject connections by IP Address

HaProxy supports different modes, in this case we're going to look at the TCP mode so we can restrict access by IP address.

For this, we're going to use a simple ACL to check the source IP address against a whitelist of known IP addresses, and then use the tcp-request connection reject action to block access to unknown IP addresses. If the ACL allows the connection, we then use use_backed to proceed to the real backend server.

The configuration is actually pretty simple, and here's a small snippet that will show the concept in a frontend section:

A simple ACL Condition will negate the list, so the TCP connection is closed if the source ip address is not there.

As you can see this is pretty straightforward, and it's also a pretty expressive configuration too. Enjoy!