Search code examples
httpnginxproxyreverse-proxyhaproxy

HAProxy - option forward for except a white-list of networks

I would like to use the haproxy option forwardfor except network-here for multiple networks, not just a single one.

I'm looking for something like

option forwardfor except 'multiple networks here'

I tried a few things that did not work like appending the ips in a single forwardfor command like shown below which resulted in a syntax error:

option forwardfor except 127.0.0.0/8 , 1.1.1.1/32, 2.2.2.2/32

I also tried specifying multiple forwardfor commands in a row, one for each network like show below. This also did not work as each forwardfor command overwrote the previous one which resulted in only the last forwardfor command to be counted and not the rest which is not what I am looking for.

frontend  main
    bind         my-ip-here:5356-60000
    mode                 http
    option               http_proxy
    option forwardfor    except 127.0.0.0/8 #local network
    option forwardfor    except 1.2.3.4/32 #example ip 1
    option forwardfor    except 5.6.7.8 #example ip 2
    option forwardfor    except 9.10.11.12/32 #example ip 3
    maxconn              950
    timeout              client  30s
    default_backend      mybackendserver

How can I forwardfor except multiple networks in haproxy?

Solution

  • I ended up using a somewhat hacky solution, it was not my first choice but it works for my needs. In the haproxy config I am using an acl whitelist that contains all the ips that I do not wish to forwardfor. If the request comes from an ip that exists in the whitelist, haproxy will use a second backend that is identical to the first one, except that it does not forwardfor. I basically moved the forwardfor option to the backend portion instead of the frontend.

    so,

        frontend  main
        bind         myip:5356-60000
        mode                 http
        option               http_proxy
        maxconn              950
        timeout              client  30s
        acl white_list_noforward src 1.1.1.1 2.2.2.2 3.3.3.3 etc..
        #explanation: if the ip is not found in the whitelist, use the backend_that_forwards, else, and the ip is in the whitelist use the backend_that_DOESNT_forward 
        use_backend backend_that_forwards if !white_list_noforward
        use_backend backend_that_DOESNT_forward if white_list_noforward  
        #default to the backend that forwards just in case something goes wrong
        default_backend      use_backend backend_that_forwards

   backend_that_forwards #forwards client ip
        mode        http
        option forwardfor    except 127.0.0.0/8 # <-- THIS forwards the real client ip except 127.0.0.0/8
        balance     roundrobin
        timeout     connect 5s
        timeout     server  5s
        server      static 127.0.0.1:80 # same server for both backends

  backend_that_DOESNT_forward #DOES NOT forward the client-ip (No option forwardfor is used here), used to handle all requests coming in from ips that I do not wish to forward for
       mode        http
       balance     roundrobin
       timeout     connect 5s
       timeout     server  5s
       server      static 127.0.0.1:80 # same server for both backends