Re: blocking request on the HOST value

From: Willy Tarreau <w#1wt.eu>
Date: Tue, 2 Sep 2008 22:26:57 +0200


Hi KÚvin & Aleks,

On Wed, Aug 20, 2008 at 04:11:58PM +0200, Aleksandar Lazic wrote:
> Dear KÚvin,
>
> On Mit 20.08.2008 12:54, MAZIERE KÚvin - AMEN wrote:
> >Hi,
> >
> >I try to block access to apache server using haproxy for some http
> >request containing the same HOST value
> >I'm not familiar with acl and reqideny and other parameters, even after
> >some tests and spending some time on the documentation...
> >
> >For example the request is like : wget http://foo.bar.com/ and I want to
> >block this request because it contains the words foo.bar.com
> >
> >I try to use reqideny command like : reqideny
> >^HOST:\foo\.bar\.com.*$,
>
> Please try:
>
> reqideny ^HOST: foo\.bar\.com

While this works on both 1.2 and 1.3, I would recommend switching to the ACLs for this (and they are faster BTW). You can do :

    acl bad_host hdr(host) -i foo.bar.com foo2.bar.com foo3.bar.com     acl bad_host hdr(host) -i foo4.bar.com foo5.bar.com foo6.bar.com     block if bad_host

You can also match on domain suffixes, and combine them with other conditions, such as source networks (eg: allow your test client but noone else).

Regards,
Willy Received on 2008/09/02 22:26

This archive was generated by hypermail 2.2.0 : 2008/09/02 22:30 CEST