Last active
March 14, 2019 16:10
-
-
Save haproxytechblog/a952128796457a2e8f552ec9ba66d3fc to your computer and use it in GitHub Desktop.
IP Masking in HAProxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feb 8 20:51:28 server1 haproxy[4718]: 192.168.50.5 [08/Feb/2019:20:51:28.816] website~ servers/server1 0/0/0/1/1 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
# Mask the last octet of the IP | |
http-request set-src src,ipmask(24) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feb 8 20:51:28 server1 haproxy[4718]: 192.168.50.0 [08/Feb/2019:20:51:28.816] website~ servers/server1 0/0/0/1/1 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Masks the last three octets | |
http-request set-src src,ipmask(8) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feb 8 20:53:13 server1 haproxy[4718]: 192.0.0.0 [08/Feb/2019:20:53:13.635] website~ servers/server1 0/0/0/1/1 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request set-src src,ipmask(24) | |
http-request deny if { src 192.168.50.5 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http-request deny if { src 192.168.50.5 } | |
http-request set-src src,ipmask(24) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
acl blacklisted src 192.168.50.5 | |
http-request set-src src,ipmask(24) | |
http-request deny if blacklisted |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
# Store the masked IP in a variable | |
http-request set-var(txn.src_masked) src,ipmask(24) | |
# Use a log-format that logs 'src_masked' | |
log-format "%[var(txn.src_masked)]:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" | |
# Other actions can use the true IP | |
http-request deny if { src 192.168.50.5 } | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
frontend website | |
bind :80 | |
bind :::80 | |
http-request set-var(txn.src_masked) src,ipmask(24,64) | |
log-format "%[var(txn.src_masked)] [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" | |
default_backend servers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Feb 11 21:48:39 server1 haproxy[5623]: fe80:: [11/Feb/2019:21:48:39.131] website servers/server1 0/0/0/3/3 304 180 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment