haproxy白名单设置

http://www.ttlsa.com/cluster/haproxy-white-list-settings/

在使用haproxy来作为tcp代理时，需要对某些IP做限制。用iptables也可以实现的。 顺道看了看haproxy手册，看看haproxy本身有是否提供方法来限制。要熟练使用某款应用需要熟读手册，手册是最权威，最详细的。好了，不罗嗦了，来看看haproxy怎么实现的：

Syntax

tcp-request content accept [{if | unless} <condition>]

Sections

Defaults	Frontend	Listen	Backend
No	Yes	Yes	No

Description

During TCP content inspection, the connection is immediately validated if the condition is true (when used with "if") or false (when used with "unless"). Most of the time during content inspection, a condition will be in an uncertain state which is neither true nor false. The evaluation immediately stops when such a condition is encountered. It is important to understand that "accept" and "reject" rules are evaluated in their exact declaration order, so that it is possible to build complex rules from them. There is no specific limit to the number of rules which may be inserted.

Note that the "if/unless" condition is optional. If no condition is set on the action, it is simply performed unconditionally.

If no tcp-request content rules are matched, the default action already is "accept". Thus, this statement alone does not bring anything without another reject statement.

Syntax

tcp-request content reject [{if | unless} <condition>]

Sections

Defaults	Frontend	Listen	Backend
No	Yes	Yes	No

Description

During TCP content inspection, the connection is immediately rejected if the condition is true (when used with "if") or false (when used with "unless"). Most of the time during content inspection, a condition will be in an uncertain state which is neither true nor false. The evaluation immediately stops when such a condition is encountered. It is important to understand that "accept" and "reject" rules are evaluated in their exact declaration order, so that it is possible to build complex rules from them. There is no specific limit to the number of rules which may be inserted.

Note that the "if/unless" condition is optional. If no condition is set on the action, it is simply performed unconditionally.

If no "tcp-request content" rules are matched, the default action is set to "accept".

配置实例如下：

global

    log         127.0.0.1 local2

    chroot      /var/lib/haproxy

    pidfile     /var/run/haproxy.pid

    maxconn     4000

    user        haproxy

    group       haproxy

    daemon

 

defaults

    mode        http

    log         global

    option      dontlognull

    option      httpclose

    #option      httplog

    option      tcplog

    #option      forwardfor

    option      redispatch

    timeout connect 10000 # default 10 second time out if a backend is not found

    timeout client 300000

    timeout server 300000

    maxconn     60000

    retries     3

 

frontend tcp-2013-front

    bind *:2013

    mode tcp

    default_backend     tcp-2013-back

 

tcp-2013-back

   mode tcp

   balance leastconn

   tcp-request content accept if { src -f /usr/local/haproxy/white_ip_list }

   tcp-request content reject

   server tcp-2013 10.1.27.20:2013

/usr/local/haproxy/white_ip_list 文件里，一行一个IP或一段IP，如 192.168.1.0/24

转载于:https://blog.51cto.com/tianshili/1830223