我是 HAProxy 新手。我想限制所有人访问子 URL,但不限制少数 IP 的访问。我的 HAProxy 实现如下,它不会阻止任何 IP/URL
# Listen to port 80. Throw a 301 redirect to port 443
frontend Listen80
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
# List to port 443. Redirect to appropriate backend based on URL
frontend Listen443
bind *:443 ssl crt /etc/ssl/certs/examplesslpem %>
acl web_url path_beg /abc /xyz
acl web_url path_beg /efg /xy
acl batch_url path_beg /h /ga
acl network_allowed src example.xyz.com
acl resticted_pages path_beg /abc/qaz/
http-request allow if resticted_pages network_allowed
use_backend BATCH if batch_url
use_backend SVC if svc_url
use_backend WEB if web_url
# Listen to port 8080. Pass through to WEB backend
frontend Listen8080
bind *:8080
use_backend WEB
backend WEB
mode http
balance roundrobin
option httpclose
cookie SERVERIDWEB insert indirect nocache secure
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
reqrep ^([^\ ]*\ /)abc[/]?(.*) \1\2
server app-1 example-app1.com:8080 check cookie app1web
server app-2 example-app2.com:8080 check cookie app2web
server app-3 example-app3.com:8080 check cookie app3web
server app-4 example-app4.com:8080 check cookie app4web
server app-5 example-app5.com:8080 check cookie app5web
答案1
这肯定不符合你的预期。
http-request allow if resticted_pages network_allowed
默认情况下允许请求。
请http-request allow注意不是的反义词http-request deny。此处,allow表示不处理任何后续http-request指令,而是允许此请求按原样进行。
如果 restricted_pages 为真且 network_allowed 为假,您似乎想要拒绝,如下所示:
http-request deny if restricted_pages !network_allowed
http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4-http-request
还要注意,这也可能不会达到你想要的效果:
acl network_allowed src example.xyz.com
这会将“示例”主机名解析为 IP 地址启动时。ACL 的行为将如同您在配置中使用了该 IP 地址一样。