0

Now I am using nginx to close connections from unknown hosts and return 444 "no response"

How do I achieve the same with haproxy which is in front of nginx (saving the extra step between haproxy and nginx)

current nginx config:

server {
  # Close connection for unrecognized hosts (444 no response)
  listen 80 default_server;
  listen [::]:80 default_server;

  return 444;
}
Ejez
  • 814
  • 8
  • 11

2 Answers2

1

This can be achieved using "silent-drop"

acl host_example req.hdr(host) -i example.com
http-request silent-drop if not host_example

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-http-request%20silent-drop https://www.haproxy.com/blog/introduction-to-haproxy-acls/#using-acls-to-block-requests

Ejez
  • 814
  • 8
  • 11
0

Ejez you can either accept connections coming from known ip's are block connections of particular ip's in frontend of haproxy.

ref code:

  • allowed known ip's
acl network_allowed src 20.30.40.50 20.30.40.40
use_backend allowed_backend if network_allowed

or

  • block certain ip's only
acl is-blocked-ip src 192.0.2.11 192.0.2.12 192.0.2.18
http-request deny if is-blocked-ip

ref:

Rangeesh
  • 361
  • 1
  • 13
  • Thx @rangeesh for the reply. however I did not want to send a "403 forbidden" response to the client (using "deny"), instead I wanted not to send anything and close the connection at haproxy side and keep it hanging client side, this way bots will be slowed down a lot. I found "silent-drop" which achieves this. ref: https://www.haproxy.com/blog/introduction-to-haproxy-acls/#using-acls-to-block-requests – Ejez Aug 05 '19 at 18:11