Is there something like Apache "deny from ip" in haproxy?
Asked
Active
Viewed 3.3k times
1 Answers
25
You can drop an IP at the tcp level by creating an ACL and then using connection reject if the ACL is matched:
acl bad_ip src 10.10.10.0
tcp-request connection reject if bad_ip
You could also set up a 403 backend and send them to that if you want to do it at the HTTP level:
frontend foo
...
acl bad_ip src 10.10.10.0
use_backend bad_guy if bad_ip
...
backend bad_guy
mode http
errorfile 403 /etc/haproxy/errors/403.http
These ACLs can be pretty flexible, and you can make it so multiple conditions within an ACL, or multiple ACLs within the action have to be met. More at http://haproxy.1wt.eu/download/1.5/doc/configuration.txt .
Lætitia
- 2,115
Kyle Brandt
- 85,693