apply ACL without reload all configuration

I was looking this afternoon for some workaround in web environment let me to modify an ACL (add or delete ip) without reload all configuration when I found haproxy with lucky!

Thierry FOURNIER told us this workaround here. He suggest us combine ACL matching integers AND fetch data from map file.

frontend input-pool 0.0.0.0:8080
        default_backend output-pool
        ....
        acl abuser src,map_ip_int(/etc/haproxy/abusers.lst,0) -m int eq 1
        http-request tarpit if abuser

backend output-pool 0.0.0.0:8080
        balance roundrobin
        server  app1_1 :81 cookie app1inst1 check inter 2000 rise 2 fall 5
        server  app1_2 :80 cookie app1inst2 check inter 2000 rise 2 fall 5

Finally, we have to enable socket stat file launch these commands:

## Block http request from 127.0.0.1
echo "add map /etc/haproxy/abusers.lst 127.0.0.1 1" | socat - unix:/tmp/haproxy 
## Allow http request from 127.0.0.1
echo "del map /etc/haproxy/abusers.lst 127.0.0.1 1" | socat - unix:/tmp/haproxy

Also, this is another useful command

echo "show stat"| socat unix-connect:/tmp/haproxy stdio

I attached in this post a little gif with my testing this behavior in my vagrant lab.
(Round robin balance is defined in virtual box instance running Ubuntu14 LTS, haproxy opens socket defined in 127.0.0.1:8080 balancing http requests to 127.0.0.1:81 and 127.0.0.1:80)
demo acl dinamic map

Useful tool, Socat

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange