Using ACL by IP Address in HaProxy TCP Mode
TweetHaProxy: An awesome load balancer that allows security rules by IP Addresse
haproxy is an awesome load balancer for TCP and HTTP connections. Let's see how to add some simple security rules based on the source IP address.
Configuration of HaProxy to allow and reject connections by IP Address
HaProxy supports different modes, in this case we're going to look at the TCP mode so we can restrict access by IP address.
For this, we're going to use a simple ACL to check the source IP address against a whitelist of known IP addresses, and then use the tcp-request connection reject action to block access to unknown IP addresses. If the ACL allows the connection, we then use use_backed to proceed to the real backend server.
The configuration is actually pretty simple, and here's a small snippet that will show the concept in a frontend section:
A simple ACL Condition will negate the list, so the TCP connection is closed if the source ip address is not there.
As you can see this is pretty straightforward, and it's also a pretty expressive configuration too. Enjoy!
