I have an HAProxy load balancer and I would like to allow access only to certain IPs. I know how to do this using the regular notation:
acl is_ip_allowed src 173.245.48.1
http-request deny if !is_ip_allowed
But when I use CIDR notation is not working
acl is_ip_allowed src 173.245.48.0/20
http-request deny if !is_ip_allowed
This should be possible if I got the HAProxy documentation correctly
IPv4 addresses values can be specified either as plain addresses or with a netmask appended, in which case the IPv4 address matches whenever it is within the network. Plain addresses may also be replaced with a resolvable host name, but this practice is generally discouraged as it makes it more difficult to read and debug configurations. If hostnames are used, you should at least ensure that they are present in /etc/hosts so that the configuration does not depend on any random DNS match at the moment the configuration is parsed.
But unfortunately, it's not working. Am I missing something?
After consulting with a colleague I found an answer.
http-request deny if !{ src 173.245.48.0/20 }
So, removing the ACL and adding the CIDR range in an IF condition works.