HAProxy - Multiple sites, multiple acl's The 2019 Stack Overflow Developer Survey Results Are InNginx/haproxy/IIS - Configuration questions and concernsVarnish before HAProxy seems to reuse (wrong) backend connection503 with Varnish to HAproxymulti-backends haproxy best practicesHAProxy, Varnish and Multiple websites with SSLhaproxy 1.5 specific source IP address show <NOSRV> 503 SC in haproxy logHAproxy health checking multiple sites within a poolRun redundant haproxy with clientcertificate authentication behind physical loadbalancerhaproxy ACL - how to route traffic based on destination port or addressHAProxy reverse proxy - multiple sites

I looked up a future colleague on linkedin before I started a job. I told my colleague about it and he seemed surprised. Should I apologize?

"To split hairs" vs "To be pedantic"

A poker game description that does not feel gimmicky

Inversion Puzzle

Why could you hear an Amstrad CPC working?

Can't find the latex code for the ⍎ (down tack jot) symbol

How are circuits which use complex ICs normally simulated?

What is this 4-propeller plane?

Is bread bad for ducks?

What function has this graph?

Spanish for "widget"

Are there any other methods to apply to solving simultaneous equations?

The difference between dialogue marks

Does duplicating a spell with wish count as casting that spell?

What is the best strategy for white in this position?

In microwave frequencies, do you use a circulator when you need a (near) perfect diode?

How to create dashed lines/arrows in Illustrator

Lethal sonic weapons

Geography at the pixel level

If Wish Duplicates Simulacrum, Are Existing Duplicates Destroyed?

Manuscript was "unsubmitted" because the manuscript was deposited in Arxiv Preprints

What do hard-Brexiteers want with respect to the Irish border?

On the insanity of kings as an argument against Monarchy

Is this food a bread or a loaf?



HAProxy - Multiple sites, multiple acl's



The 2019 Stack Overflow Developer Survey Results Are InNginx/haproxy/IIS - Configuration questions and concernsVarnish before HAProxy seems to reuse (wrong) backend connection503 with Varnish to HAproxymulti-backends haproxy best practicesHAProxy, Varnish and Multiple websites with SSLhaproxy 1.5 specific source IP address show <NOSRV> 503 SC in haproxy logHAproxy health checking multiple sites within a poolRun redundant haproxy with clientcertificate authentication behind physical loadbalancerhaproxy ACL - how to route traffic based on destination port or addressHAProxy reverse proxy - multiple sites



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















We are busy with setting up HAProxy. Almost everything is working, except setting it up without multiple sites with different acl's.



What we want:



Using HAProxy with multiple sites, all on the same IP, all with the same backends but with different IP Blockings/Username-Password protection.



What we have working:



Get incoming traffic to backend (with an acl to use https instead of http).



The situation without haproxy/varnish:



Now, we are using apache to handle the acl (allow,deny ip's and use username-password protection).



We tried to capture this through X-Forwarded-For inside apache. However, the web servers themselves can no longer communicate with each other. We had to remove the allow role for the subnet (loadbalancer and webserver are in the same subnet). With this allow, apache don't look at the x-forward-header, and will allow all traffic. Without it, the webservers cannot communicate with each other.



Does anyone have an example or mindset for us to get there?



Now: internet->firewall->apache



What we want: internet->firewall->haproxy(ssl offloading)->varnish->apache (haproxy and varnish running on the same machine)






apache-2.4 haproxy access-control-list blocking







share|improve this question






























    0















    We are busy with setting up HAProxy. Almost everything is working, except setting it up without multiple sites with different acl's.



    What we want:



    Using HAProxy with multiple sites, all on the same IP, all with the same backends but with different IP Blockings/Username-Password protection.



    What we have working:



    Get incoming traffic to backend (with an acl to use https instead of http).



    The situation without haproxy/varnish:



    Now, we are using apache to handle the acl (allow,deny ip's and use username-password protection).



    We tried to capture this through X-Forwarded-For inside apache. However, the web servers themselves can no longer communicate with each other. We had to remove the allow role for the subnet (loadbalancer and webserver are in the same subnet). With this allow, apache don't look at the x-forward-header, and will allow all traffic. Without it, the webservers cannot communicate with each other.



    Does anyone have an example or mindset for us to get there?



    Now: internet->firewall->apache



    What we want: internet->firewall->haproxy(ssl offloading)->varnish->apache (haproxy and varnish running on the same machine)






    apache-2.4 haproxy access-control-list blocking







    share|improve this question


























      0












      0








      0








      We are busy with setting up HAProxy. Almost everything is working, except setting it up without multiple sites with different acl's.



      What we want:



      Using HAProxy with multiple sites, all on the same IP, all with the same backends but with different IP Blockings/Username-Password protection.



      What we have working:



      Get incoming traffic to backend (with an acl to use https instead of http).



      The situation without haproxy/varnish:



      Now, we are using apache to handle the acl (allow,deny ip's and use username-password protection).



      We tried to capture this through X-Forwarded-For inside apache. However, the web servers themselves can no longer communicate with each other. We had to remove the allow role for the subnet (loadbalancer and webserver are in the same subnet). With this allow, apache don't look at the x-forward-header, and will allow all traffic. Without it, the webservers cannot communicate with each other.



      Does anyone have an example or mindset for us to get there?



      Now: internet->firewall->apache



      What we want: internet->firewall->haproxy(ssl offloading)->varnish->apache (haproxy and varnish running on the same machine)






      apache-2.4 haproxy access-control-list blocking







      share|improve this question
















      We are busy with setting up HAProxy. Almost everything is working, except setting it up without multiple sites with different acl's.



      What we want:



      Using HAProxy with multiple sites, all on the same IP, all with the same backends but with different IP Blockings/Username-Password protection.



      What we have working:



      Get incoming traffic to backend (with an acl to use https instead of http).



      The situation without haproxy/varnish:



      Now, we are using apache to handle the acl (allow,deny ip's and use username-password protection).



      We tried to capture this through X-Forwarded-For inside apache. However, the web servers themselves can no longer communicate with each other. We had to remove the allow role for the subnet (loadbalancer and webserver are in the same subnet). With this allow, apache don't look at the x-forward-header, and will allow all traffic. Without it, the webservers cannot communicate with each other.



      Does anyone have an example or mindset for us to get there?



      Now: internet->firewall->apache



      What we want: internet->firewall->haproxy(ssl offloading)->varnish->apache (haproxy and varnish running on the same machine)






      apache-2.4 haproxy access-control-list blocking




      apache-2.4 haproxy access-control-list blocking






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jul 27 '16 at 7:52









      zagrimsan

      309313




      309313










      asked Jul 27 '16 at 7:30









      G. KooistraG. Kooistra

      13




      13




















          1 Answer
          1






          active

          oldest

          votes


















          0














          There are a few ways to set this up. The most simple way would probably be with the use of some acls.



          Eg.:



          Defining the different websites



          acl site1 hdr_end(host) site1.com
          acl site2 hdr_end(host) site2.net
          acl site3 hdr_end(host) site3.org


          (I used hrd_end on the host header, so that any subdomain as well as without subdomain would match. You of course need to determine if this is also a desired condition in your case.)



          Defining the allowed sources for the sites



          acl allowed_site1 src 1.2.3.4/32 1.2.4.5/32
          acl allowed_site2 src 2.3.4.5/32 3.4.5.0/24
          acl allowed_site3 src 4.5.0.0/16


          Denying all that does not match



          http-request deny if site1 !allowed_site1
          http-request deny if site2 !allowed_site2
          http-request deny if site3 !allowed_site3


          (Basically this reads as: deny the request if the request is for the specified site, but is not on the list of allowed IP addresses)






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f792173%2fhaproxy-multiple-sites-multiple-acls%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            There are a few ways to set this up. The most simple way would probably be with the use of some acls.



            Eg.:



            Defining the different websites



            acl site1 hdr_end(host) site1.com
            acl site2 hdr_end(host) site2.net
            acl site3 hdr_end(host) site3.org


            (I used hrd_end on the host header, so that any subdomain as well as without subdomain would match. You of course need to determine if this is also a desired condition in your case.)



            Defining the allowed sources for the sites



            acl allowed_site1 src 1.2.3.4/32 1.2.4.5/32
            acl allowed_site2 src 2.3.4.5/32 3.4.5.0/24
            acl allowed_site3 src 4.5.0.0/16


            Denying all that does not match



            http-request deny if site1 !allowed_site1
            http-request deny if site2 !allowed_site2
            http-request deny if site3 !allowed_site3


            (Basically this reads as: deny the request if the request is for the specified site, but is not on the list of allowed IP addresses)






            share|improve this answer



























              0














              There are a few ways to set this up. The most simple way would probably be with the use of some acls.



              Eg.:



              Defining the different websites



              acl site1 hdr_end(host) site1.com
              acl site2 hdr_end(host) site2.net
              acl site3 hdr_end(host) site3.org


              (I used hrd_end on the host header, so that any subdomain as well as without subdomain would match. You of course need to determine if this is also a desired condition in your case.)



              Defining the allowed sources for the sites



              acl allowed_site1 src 1.2.3.4/32 1.2.4.5/32
              acl allowed_site2 src 2.3.4.5/32 3.4.5.0/24
              acl allowed_site3 src 4.5.0.0/16


              Denying all that does not match



              http-request deny if site1 !allowed_site1
              http-request deny if site2 !allowed_site2
              http-request deny if site3 !allowed_site3


              (Basically this reads as: deny the request if the request is for the specified site, but is not on the list of allowed IP addresses)






              share|improve this answer

























                0












                0








                0







                There are a few ways to set this up. The most simple way would probably be with the use of some acls.



                Eg.:



                Defining the different websites



                acl site1 hdr_end(host) site1.com
                acl site2 hdr_end(host) site2.net
                acl site3 hdr_end(host) site3.org


                (I used hrd_end on the host header, so that any subdomain as well as without subdomain would match. You of course need to determine if this is also a desired condition in your case.)



                Defining the allowed sources for the sites



                acl allowed_site1 src 1.2.3.4/32 1.2.4.5/32
                acl allowed_site2 src 2.3.4.5/32 3.4.5.0/24
                acl allowed_site3 src 4.5.0.0/16


                Denying all that does not match



                http-request deny if site1 !allowed_site1
                http-request deny if site2 !allowed_site2
                http-request deny if site3 !allowed_site3


                (Basically this reads as: deny the request if the request is for the specified site, but is not on the list of allowed IP addresses)






                share|improve this answer













                There are a few ways to set this up. The most simple way would probably be with the use of some acls.



                Eg.:



                Defining the different websites



                acl site1 hdr_end(host) site1.com
                acl site2 hdr_end(host) site2.net
                acl site3 hdr_end(host) site3.org


                (I used hrd_end on the host header, so that any subdomain as well as without subdomain would match. You of course need to determine if this is also a desired condition in your case.)



                Defining the allowed sources for the sites



                acl allowed_site1 src 1.2.3.4/32 1.2.4.5/32
                acl allowed_site2 src 2.3.4.5/32 3.4.5.0/24
                acl allowed_site3 src 4.5.0.0/16


                Denying all that does not match



                http-request deny if site1 !allowed_site1
                http-request deny if site2 !allowed_site2
                http-request deny if site3 !allowed_site3


                (Basically this reads as: deny the request if the request is for the specified site, but is not on the list of allowed IP addresses)







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Aug 4 '16 at 6:37









                Mick SwitserMick Switser

                30613




                30613



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f792173%2fhaproxy-multiple-sites-multiple-acls%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    How to write a 12-bar blues melodyI-IV-V blues progressionHow to play the bridges in a standard blues progressionHow does Gdim7 fit in C# minor?question on a certain chord progressionMusicology of Melody12 bar blues, spread rhythm: alternative to 6th chord to avoid finger stretchChord progressions/ Root key/ MelodiesHow to put chords (POP-EDM) under a given lead vocal melody (starting from a good knowledge in music theory)Are there “rules” for improvising with the minor pentatonic scale over 12-bar shuffle?Confusion about blues scale and chords

                    Image
                    Why is a set not a partition of itself? Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Labeling matrices/rectangles and drawing Sigma inside rectangle Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Missouri raptors have wild hairdos Can someone explain homicide-related death rates? Why is tomato paste so cheap? What are the implications of the new alleged key recovery attack preprint on SIMON? Effects of ~10atm pressure on engine design Is taking modulus on both sides of an equation valid? Jumping frame contents with beamer and pgfplots Are there any established rules for splitting books into parts, chapters, sections etc? Anatomically Correct Carnivorous Tree Why do I get two different answers when solvi...
                    Read more

                    What if the end-user didn't have the required library?What is setup.py?What is a clean, pythonic way to have multiple constructors in Python?What does Ruby have that Python doesn't, and vice versa?What is the reason for having '//' in Python?How do I create a namespace package in Python?How to package shared objects that python modules depend on?setuptools vs. distutils: why is distutils still a thing?Navigation in Windows 10 vs code not going to virtualenv library when the same library is installed at user levelPython create package for local usePackaging a project that uses multiple python versionsWhy is permission denied on pip install except for when “--user” is included at end of command?

                    Image
                    Can a tourist shoot a gun in the USA? Will a coyote attack my dog on a leash while I'm on a hiking trail? Labeling matrices/rectangles and drawing Sigma inside rectangle How can I answer high-school writing prompts without sounding weird and fake? Is there ever any indication in the MCU as to how Spider-Man got his powers? Jumping frame contents with beamer and pgfplots Would an 8% reduction in drag outweigh the weight addition from this custom CFD-tested winglet? Is it possible to create different colors in rocket exhaust? German characters on US-International keyboard layout Does gravity affect the time evolution of a QM wave function? 51% attack - apparently very easy? refering to CZ's "rollback btc chain" - How to make sure such corruptible scenario can never happen so easily? Why are solar panels kept tilted? Is Germany still exporting arms to countries involved in Yemen? Unexpected Netflix account registered to my Gmail address - any wa...
                    Read more

                    Why did Thanos need his ship to help him in the battle scene?Which actor plays Thanos in the Avengers mid-credits scene?Are there economic implications portrayed in comics where the buildings and cities are ruined almost daily?Old X-Men comic where team travels to alien world with a ring-like sun that needs recharging?Why does Ego need help sleeping?Is there an objective answer to who “the strongest Avenger” is?How did Banner get unstuck?Why did Thanos get hit?How did Thanos (or anyone) know the Infinity Stones would give him this power?Did Thanos leave Eitri alive for his after-sales service?In Avengers 1, why does Thanos need Loki?

                    Image
                    German characters on US-International keyboard layout Why is tomato paste so cheap? what does a native speaker say when he wanted to leave his work? Can a tourist shoot a gun in the USA? Extracting sublists that contain similar elements Why does the headset man not get on the tractor? What kind of SATA connector is this? Help in identifying a mystery wall socket Unexpected Netflix account registered to my Gmail address - any way it could be a hack attempt? Anatomically Correct Carnivorous Tree declared variable inside void setup is forgotten in void loop What is the largest number of identical satellites launched together? Automatically anti-predictably assemble an alliterative aria What information do scammers need to withdraw money from an account? Rounding a number extracted by jq to limit the decimal points Tikz draw contour without some edges, and fill What should a student do when they are the victim of a FERPA violation? How exactly does artific...
                    Read more