HAProxy - 选项转发除了网络白名单
HAProxy - option forward for except a white-list of networks
我想将 haproxy option forwardfor except network-here 用于多个网络,而不仅仅是一个网络。
我正在寻找类似
的东西
option forwardfor except 'multiple networks here'
我尝试了一些没有用的东西,比如在单个 forwardfor 命令中附加 ips,如下所示,导致语法错误:
option forwardfor except 127.0.0.0/8 , 1.1.1.1/32, 2.2.2.2/32
我还尝试连续指定多个 forwardfor 命令,每个网络一个,如下所示。这也不起作用,因为每个 forwardfor 命令都覆盖了前一个命令,导致只计算最后一个 forwardfor 命令,而不计算其余命令,这不是我要找的。
frontend main
bind my-ip-here:5356-60000
mode http
option http_proxy
option forwardfor except 127.0.0.0/8 #local network
option forwardfor except 1.2.3.4/32 #example ip 1
option forwardfor except 5.6.7.8 #example ip 2
option forwardfor except 9.10.11.12/32 #example ip 3
maxconn 950
timeout client 30s
default_backend mybackendserver
如何在 haproxy 中 forwardfor except 多个网络?
我最终使用了一个有点老套的解决方案,它不是我的第一选择,但它可以满足我的需要。在 haproxy 配置中,我使用了一个 acl 白名单,其中包含我不想转发的所有 ip。如果请求来自白名单中存在的 ip,haproxy 将使用与第一个相同的第二个后端,只是它不 forwardfor。我基本上将 forwardfor 选项移到了后端部分而不是前端。
所以,
frontend main
bind myip:5356-60000
mode http
option http_proxy
maxconn 950
timeout client 30s
acl white_list_noforward src 1.1.1.1 2.2.2.2 3.3.3.3 etc..
#explanation: if the ip is not found in the whitelist, use the backend_that_forwards, else, and the ip is in the whitelist use the backend_that_DOESNT_forward
use_backend backend_that_forwards if !white_list_noforward
use_backend backend_that_DOESNT_forward if white_list_noforward
#default to the backend that forwards just in case something goes wrong
default_backend use_backend backend_that_forwards
backend_that_forwards #forwards client ip
mode http
option forwardfor except 127.0.0.0/8 # <-- THIS forwards the real client ip except 127.0.0.0/8
balance roundrobin
timeout connect 5s
timeout server 5s
server static 127.0.0.1:80 # same server for both backends
backend_that_DOESNT_forward #DOES NOT forward the client-ip (No option forwardfor is used here), used to handle all requests coming in from ips that I do not wish to forward for
mode http
balance roundrobin
timeout connect 5s
timeout server 5s
server static 127.0.0.1:80 # same server for both backends
我想将 haproxy option forwardfor except network-here 用于多个网络,而不仅仅是一个网络。
我正在寻找类似
的东西option forwardfor except 'multiple networks here'
我尝试了一些没有用的东西,比如在单个 forwardfor 命令中附加 ips,如下所示,导致语法错误:
option forwardfor except 127.0.0.0/8 , 1.1.1.1/32, 2.2.2.2/32
我还尝试连续指定多个 forwardfor 命令,每个网络一个,如下所示。这也不起作用,因为每个 forwardfor 命令都覆盖了前一个命令,导致只计算最后一个 forwardfor 命令,而不计算其余命令,这不是我要找的。
frontend main
bind my-ip-here:5356-60000
mode http
option http_proxy
option forwardfor except 127.0.0.0/8 #local network
option forwardfor except 1.2.3.4/32 #example ip 1
option forwardfor except 5.6.7.8 #example ip 2
option forwardfor except 9.10.11.12/32 #example ip 3
maxconn 950
timeout client 30s
default_backend mybackendserver
如何在 haproxy 中 forwardfor except 多个网络?
我最终使用了一个有点老套的解决方案,它不是我的第一选择,但它可以满足我的需要。在 haproxy 配置中,我使用了一个 acl 白名单,其中包含我不想转发的所有 ip。如果请求来自白名单中存在的 ip,haproxy 将使用与第一个相同的第二个后端,只是它不 forwardfor。我基本上将 forwardfor 选项移到了后端部分而不是前端。
所以,
frontend main
bind myip:5356-60000
mode http
option http_proxy
maxconn 950
timeout client 30s
acl white_list_noforward src 1.1.1.1 2.2.2.2 3.3.3.3 etc..
#explanation: if the ip is not found in the whitelist, use the backend_that_forwards, else, and the ip is in the whitelist use the backend_that_DOESNT_forward
use_backend backend_that_forwards if !white_list_noforward
use_backend backend_that_DOESNT_forward if white_list_noforward
#default to the backend that forwards just in case something goes wrong
default_backend use_backend backend_that_forwards
backend_that_forwards #forwards client ip
mode http
option forwardfor except 127.0.0.0/8 # <-- THIS forwards the real client ip except 127.0.0.0/8
balance roundrobin
timeout connect 5s
timeout server 5s
server static 127.0.0.1:80 # same server for both backends
backend_that_DOESNT_forward #DOES NOT forward the client-ip (No option forwardfor is used here), used to handle all requests coming in from ips that I do not wish to forward for
mode http
balance roundrobin
timeout connect 5s
timeout server 5s
server static 127.0.0.1:80 # same server for both backends