tldr; Don't just test a whitelist based on an initial pass/fail. An update to that whitelist or addition of a parameter to a use_backend
statement alone can cause a routing mess.
I don't normally say things like "the right way" but in this case attention to detail is usually always the right way. We had two use_backend
statements in haproxy shown below where when an IP address wasn’t in the whitelist it would be routed straight to production. The proposed fix for this meant that traffic in the whitelist would always be routed to production. Which is the opposite of what I believe was intended in both cases.
use_backend b1 if host-site worldpay_callback worldpay_whitelist worldpay_env_dev worldpay_auth
use_backend b2 if host-site worldpay_callback worldpay_whitelist worldpay_env_prd worldpay_auth
This works, you can put whitelist evaluation in a use_backend
statement but if it's nested inside a larger scope and the logic falls through it's going to bite you. Troubleshooting this par