I was looking this afternoon for some workaround in web environment let me to modify an ACL (add or delete ip) without reload all configuration when I found haproxy with lucky!
Thierry FOURNIER told us this workaround here. He suggest us combine ACL matching integers AND fetch data from map file.
frontend input-pool 0.0.0.0:8080 default_backend output-pool .... acl abuser src,map_ip_int(/etc/haproxy/abusers.lst,0) -m int eq 1 http-request tarpit if abuser backend output-pool 0.0.0.0:8080 balance roundrobin server app1_1 :81 cookie app1inst1 check inter 2000 rise 2 fall 5 server app1_2 :80 cookie app1inst2 check inter 2000 rise 2 fall 5
Finally, we have to enable socket stat file launch these commands:
## Block http request from 127.0.0.1 echo "add map /etc/haproxy/abusers.lst 127.0.0.1 1" | socat - unix:/tmp/haproxy ## Allow http request from 127.0.0.1 echo "del map /etc/haproxy/abusers.lst 127.0.0.1 1" | socat - unix:/tmp/haproxy
Also, this is another useful command
echo "show stat"| socat unix-connect:/tmp/haproxy stdio
I attached in this post a little gif with my testing this behavior in my vagrant lab.
(Round robin balance is defined in virtual box instance running Ubuntu14 LTS, haproxy opens socket defined in 127.0.0.1:8080 balancing http requests to 127.0.0.1:81 and 127.0.0.1:80)
Useful tool, Socat