haproxy tcp 白名单配置说明

基于acl 可以让haproxy 支持强大的访问控制以及流程处理,以下是一个简单的基于tcp-request 进行4层ip白名单的处理

参考配置

  • 环境准备
version: '3'
services:
   haproxy:
      image: haproxytech/haproxy-debian:2.5.0
      volumes:
      - "./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg"
      - "./iplist.lst:/etc/haproxy/iplist.lst"
      ports:
      - "9000:9000"
      - "5000:5000"
   web:
      image: nginx
  • haproxy 参考配置
 #
# THIS IS SAMPLE CONFIG, FOR TEST, NOT FOR PRODUCTION!!!
#
global
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
 
listen stats
  bind :9000
  mode http
  stats enable
  stats uri /haproxy_stats
  # Default SSL material locations
  # Default ciphers to use on SSL-enabled listening sockets.
  # For more information, see ciphers(1SSL).
 
frontend  main
    bind :5000
    tcp-request connection reject if { src -f /etc/haproxy/iplist.lst }
    default_backend             app
 
backend app
    server  app1 web:80 
 
# resolvers mydns
#     nameserver dns1 127.0.0.11:53
#     resolve_retries       3
#     timeout retry         1s
#     hold other           30s
#     hold refused         30s
#     hold nx              30s
#     hold timeout         30s
#     hold valid           10s
 
defaults
    log     global
    mode    tcp
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
 
  • ip 清单
    此处可以配置需要禁止访问的ip列表 iplist.lst
 
# dalong
127.0.0.1
# test service ip
#172.24.0.2
# default gateway
172.24.0.1

使用

  • 启动服务
docker-compose up -d
  • 测试效果
    可以结合自己的实际修改ip清单,注意修改好了之后需要重启haproxy服务

说明

以上是一个简单的集成使用,实际上我们可以结合haproxy 提供的runtime api 以及dataplain api 还有服务发现实现一个动态的控制
以上核心是利用了 tcp-request connection reject haproxy 支持tcp以及http 的不同阶段处理

参考资料

https://www.haproxy.com/documentation/hapee/latest/onepage/#tcp-request%20connection
https://www.haproxy.com/documentation/hapee/latest/management/service-discovery/dns-service-discovery/discovery-with-a-records/
https://hub.docker.com/r/haproxytech/haproxy-debian
https://github.com/rongfengliang/haproxy-tcp-iplist
https://www.haproxy.com/documentation/hapee/latest/configuration/config-sections/resolvers/

上一篇:新知识


下一篇:[HPM] Error occurred while trying to proxy request 终端报错