我想在 haproxy ACL 中定义 OpenVpn 网络。 OpenVPN 服务器和 haproxy 运行在同一台服务器 (XXXX/32) 上。是否可以在 haproxy 中设置仅允许来自 OpenVPN 网络的请求?我尝试过类似的方法,但它不起作用:
acl vpnnetwork src 10.10.0.0/16
提前致谢
我附上我的 OpenVPN conf 文件:
port 1194
proto udp6
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
crl-verify /etc/openvpn/keys
crl-verify /etc/openvpn/keys/ca-crl.pem
tls-auth /etc/openvpn/keys/ta.key 0
tls-server
auth SHA256
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
client-to-client
server 10.10.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
keepalive 5 30
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
status-version 1
log-append /var/log/openvpn.log
verb 3
答案1
这是我的 haproxy cfg 对我有用:
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
http-request deny if !{ src 10.10.0.0/16 }
acl discourse_acl hdr(host) -i discourse.test.com
use_backend discourse_http if discourse_acl
backend discourse_http
mode http
option httplog
option forwardfor
server discourse_server 10.115.0.2:8080
域名discourse.test.com需要指向10.10.0.1(来自VPN网络的IP)并且haproxy应该重新加载。如果我连接到 VPN,则discourse.test.com:80可以正常工作,如果没有 VPN,我将无法浏览discourse.test.com。