frontend main_ssl
bind *:443
mode tcp
option tcplog
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend cloud_ssl if { req_ssl_sni -i cloud.example.com }
use_backend rproxy_ssl if { req_ssl_sni -i assets.example.com }
use_backend rproxy_ssl if { req_ssl_sni -i support.example.com }
use_backend manage_ssl if { req_ssl_sni -i management.example.com }
backend cloud_ssl
mode tcp
balance roundrobin
server cloud_ssl_server 10.10.5.8:443 check
backend rproxy_ssl
mode tcp
balance roundrobin
server rpoxy_ssl_server 10.10.5.40:443 check
backend manage_ssl
mode tcp
balance roundrobin
server manage_ssl_server 10.10.5.2:443 check
Is it possible to get ‘manage_ssl’ to block all IP addresses except for a small collection in a file or such?
I know that there is some documentation and quite a few Stack Overflow posts but I seem to be lacking an understanding of the syntax / format that this stuff needs to be in.
and no, I can’t just block at the whole proxy level, nor can I do it at the firewall level. The other sites have to be reachable by all users, it’s just one domain that needs to be blocked and IPs whitelisted for.
In your frontend have something like
acl is_whitelisted src -f /etc/hapee-2.6/ipwhitelists/mywhitelist
mywhitelist would contain a cidr or list of cidrs
xxx.xxx.xxx.xxx/32
xxx.xxx.xxx.xxx/32
and then you’d have
use_backend rproxy_ssl if is_whitelisted
So I don’t need to do an && statment or something ?
I can just do
use_backend manage_ssl if is_whitelisted
use_backend manage_ssl if { req_ssl_sni -i management.example.com }
or would i have to do something like
use_backend manage_ssl if { req_ssl_sni -i management.example.com } && if is_whitelisted