IP Masking in HAProxy

blog20190314-01.sh

Feb 8 20:51:28 server1 haproxy[4718]: 192.168.50.5 [08/Feb/2019:20:51:28.816] website~ servers/server1 0/0/0/1/1 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"

blog20190314-02.cfg

frontend website
    bind :80

    # Mask the last octet of the IP
    http-request set-src src,ipmask(24)

blog20190314-03.sh

Feb 8 20:51:28 server1 haproxy[4718]: 192.168.50.0 [08/Feb/2019:20:51:28.816] website~ servers/server1 0/0/0/1/1 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"

blog20190314-04.cfg

# Masks the last three octets
http-request set-src src,ipmask(8)

blog20190314-05.sh

Feb 8 20:53:13 server1 haproxy[4718]: 192.0.0.0 [08/Feb/2019:20:53:13.635] website~ servers/server1 0/0/0/1/1 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"

blog20190314-06.cfg

http-request set-src src,ipmask(24)
http-request deny if { src 192.168.50.5 }

blog20190314-07.cfg

http-request deny if { src 192.168.50.5 }
http-request set-src src,ipmask(24)

blog20190314-08.cfg

acl blacklisted src 192.168.50.5
http-request set-src src,ipmask(24)
http-request deny if blacklisted

blog20190314-09.cfg

frontend website
    bind :80

    # Store the masked IP in a variable
    http-request set-var(txn.src_masked) src,ipmask(24)

    # Use a log-format that logs 'src_masked'
    log-format "%[var(txn.src_masked)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

    # Other actions can use the true IP
    http-request deny if { src 192.168.50.5 }
    default_backend servers

blog20190314-10.cfg

frontend website
    bind :80
    bind :::80
    http-request set-var(txn.src_masked) src,ipmask(24,64)
    log-format "%[var(txn.src_masked)] [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
    default_backend servers

blog20190314-11.sh

Feb 11 21:48:39 server1 haproxy[5623]: fe80:: [11/Feb/2019:21:48:39.131] website servers/server1 0/0/0/3/3 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"