On Tue, Jun 14, 2011 at 10:41 PM, Willy Tarreau <w#1wt.eu> wrote:
> On Tue, Jun 14, 2011 at 04:43:47PM -0700, John Fieber wrote:
>> I want to create an ACL based on X-Forwarded-For:
>>
>> acl whitelist hdr_ip(X-Forwarded-For) -f whitelist.txt
>> block unless whitelist
>>
>> Which is just grand, EXCEPT I'm only interested in (and trust) the last address in the X-Forwarded-For header. The above acl matches any address in the header. I've been digging for a good chunk of the day how to do that and come up empty handed. Help?
>
> Since we have not yet reworked the ACLs to rely on the pattern subsystem,
> it's still not possible to make use of "hdr_ip(X-f-f,-1)" as we do on the
> "balance" or "source" keywords.
Could I get clarification on this thread? If a requests comes in with
XFF looking like:
X-Forwarded-For: 8.8.8.8, 10.114.102.96, 174.129.82.0, 10.71.74.198
and i have an acl in my frotend
acl bad_guys_ip hdr_ip(X-Forwarded-For) -f /etc/haproxy/block_ip.txt
will bad_guys_ip be set if block_ip.txt contains:
- 8.8.8.8
OR
- 174.129.82.0
OR
- both?
>
> One thing you could do, despite not being very good, is to remove all
> occurrences of values in the header. Basically, remove everything from
> the first char to the last comma :
>
> reqirep ^(X-Forwarded-For:\ ).*,([^,]*) \1\2
>
> Then your ACL could match based on what is left in this header.
>
> Regards,
> Willy
>
>
>
Received on 2011/08/31 00:37
This archive was generated by hypermail 2.2.0 : 2011/08/31 00:45 CEST