apply ACL without reload all configuration

I was looking this afternoon for some workaround in web environment let me to modify an ACL (add or delete ip) without reload all configuration when I found haproxy with lucky!

Thierry FOURNIER told us this workaround here. He suggest us combine ACL matching integers AND fetch data from map file.

frontend input-pool
        default_backend output-pool
        acl abuser src,map_ip_int(/etc/haproxy/abusers.lst,0) -m int eq 1
        http-request tarpit if abuser

backend output-pool
        balance roundrobin
        server  app1_1 :81 cookie app1inst1 check inter 2000 rise 2 fall 5
        server  app1_2 :80 cookie app1inst2 check inter 2000 rise 2 fall 5

Finally, we have to enable socket stat file launch these commands:

## Block http request from
echo "add map /etc/haproxy/abusers.lst 1" | socat - unix:/tmp/haproxy 
## Allow http request from
echo "del map /etc/haproxy/abusers.lst 1" | socat - unix:/tmp/haproxy

Also, this is another useful command

echo "show stat"| socat unix-connect:/tmp/haproxy stdio

I attached in this post a little gif with my testing this behavior in my vagrant lab.
(Round robin balance is defined in virtual box instance running Ubuntu14 LTS, haproxy opens socket defined in balancing http requests to and
demo acl dinamic map

Useful tool, Socat

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange