Re: DNS names instead of IP for acls such as hdr_ip

From: Willy Tarreau <>
Date: Thu, 22 Dec 2011 07:24:14 +0100

Hello Mitchell,

On Wed, Dec 21, 2011 at 02:42:49PM -0600, Gerdisch, Mitchell R (Mitchell) wrote:
> It appears that I can successfully use DNS names in the haproxy.cfg file such as in:
> acl valid_sources hdr_ip(X-Forwarded-For)
> (where resolves to a single IP address, say,
> But if I update the DNS entry for to say,, I can't see any way to get haproxy to discover the new IP address.
> The DNS TTL is 5 minutes, and I restarted haproxy after I was sure the haproxy server's DNS cache had expired and haproxy was still fixated on the address.

Haproxy resolves DNS entries once during config parsing and that's all. After that, since it's supposed to be chrooted, it doesn't have any access to the system files, so it wouldn't be able to update this info anyway.

That said, there are people who are embarrassed with this, eg in EC2 where you can't keep your servers' address between reboots. So we're thinking about adding a simple DNS resolver which would update servers address during health checks. That would not solve your need for ACLs or things like this, which would possibly require a DNS lookup for each ACL*header*request but it would still be an improvement.

> So, is there something I'm missing?
> Or do I need to just use IP addresses?

If you're using hdr_ip(), then only IP addresses will be parsed in headers, and the IPs to match against will only be resolved on startup. And this is probably going to stay that way for quite some time, considering that some people put up to hundreds of thousands of IP addresses in their ACLs, we will certainly not try to update all of them !

The main problem with using DNS for such things is that you have to make a lot of lookups for nothing, because basically one entry changes for a million lookups. This is a total waste of resource especially on the DNS server. All that to simulate event-based changes (because the DNS does not change by itself, something is making it change) ! What I would like to provide instead is the ability to add/remove ACLs from the command line. It would be much better, because you would be able to replace your ACL with the new IP address when you know/suspect something has changed. And for the rare cases where you have no way to know, it would not be difficult to run a script to periodically feed DNS updates this way.

Willy Received on 2011/12/22 07:24

This archive was generated by hypermail 2.2.0 : 2011/12/22 07:30 CET