Re: ACL problem

From: Willy Tarreau <w#1wt.eu>
Date: Wed, 24 Oct 2007 06:40:19 +0200


Hi Piotr!

On Tue, Oct 23, 2007 at 03:17:48PM +0200, Piotr Rybicki wrote:
> Hi list!
>
> I've problems with configuring ACL.
>
> My OS:
> # uname -a
> FreeBSD ryba-laptop.cadera.com.pl 6.2-RELEASE-p8 FreeBSD 6.2-RELEASE-p8
> #2: Thu Oct 4 11:39:54 CEST 2007
> root#ryba-laptop.cadera.com.pl:/usr/obj/usr/src/sys/LAPTOP i386
>
> My haproxy version (build from ports):
> # pkg_info | grep haproxy
> haproxy-devel-1.3.12.2 The Reliable, High Performance TCP/HTTP Load Balancer
>
> My config:
> # cat haproxy.conf
> global
> log 127.0.0.1 local0
> log 127.0.0.1 local1 notice
> #log loghost local0 info
> maxconn 4096
> # ulimit-n 8208
> chroot /var/empty
> uid nobody
> gid nobody
> nbproc 1
> daemon
> debug
> #quiet
>
> defaults
> log global
> mode http
> option httplog
> option dontlognull
> retries 3
> redispatch
> maxconn 2000
> contimeout 5000
> clitimeout 50000
> srvtimeout 50000
>
> listen admin_page 0.0.0.0:8888
> mode http
> option httpclose
> balance roundrobin
> stats enable
> stats refresh 1
> stats uri /
> stats realm Global\ statistics
> stats auth admin:admin
>
> listen :10000 0.0.0.0:10022
> # disabled
> mode tcp
> balance roundrobin
> acl src_in src 192.168.137.2/32
> # block if !src_in
> block unless src_in
> server test 192.168.137.1:10022 check inter 2000 rise 2 fall 5
>
>
> I wish to limit access to TCP proxy service for certain IP address.
> Something similar to 'only_from = _IP_' in xinetd
>
> In my opinion, this configuration doesn't do ACL stuff. Even when o add
> section:
> block if TRUE
>
> Am I missing something?

no you're not missing anything. Right now, the ACLs are evaluated in the HEADERS state which only exists in HTTP and not in TCP mode. It is planned to separate ACLs into layer4 and layer7 in order to be able to filter in TCP too, but this requires the protocol layering which is in progress.

I'm sorry you wasted time trying to debug this. If you absolutely need to do this, take a look at src/proto_http.c, it should not be too hard to move the test to the CL_STDATA which is the first state evaluated in TCP mode. But it's risky because if you went to incidently add a layer7 ACL in it, you could crash the process.

Regards,
Willy Received on 2007/10/24 06:40

This archive was generated by hypermail 2.2.0 : 2007/11/04 19:21 CET