Welcome! Log In Create A New Profile

Advanced

Suggestion for ACL groups

Posted by Julian Zielke 
Julian Zielke
Suggestion for ACL groups
April 13, 2017 12:00PM
Hi,

lately I had to define multiple acls in our pfsense box runnign HaProxy 1.6..x.

The challenge was to configure a frontend with multiple URLs as ACLs and also limit IPs to some URLs and some other avaiable to any or a different set of IPs.

Example:

a_url1 --> host match www.mydomain.comhttp://www.mydomain.com
a_url2 --> host match www.myotherdomain.comhttp://www.myotherdomain.com
a_net1 --> source ip match www.xxx.yyy.zzzhttp://www.xxx.yyy.zzz
a_net2 --> source ip match aaa.bbb.ccc.ddd

So for every frontend the match syntax would be:

use backend if a_url1 a_net1 || a_url1 a_net2 || a_url2 a_net1 || a_url2_a_net2

Having a one-line directive this rule set with more IPs and/or URLs can be a real pita.
So my suggestion would be a group-syntax for ACLs which would be like:

(a_url1 || a_url2 ) (a_net1 || a_net2)

Much more compact and serves the same purpose. Would be nice to see this being implemente.
Searching accross Google some ppl already asked for this already on different forums.

- Julian

Wichtiger Hinweis: Der Inhalt dieser E-Mail ist vertraulich und ausschlie?lich f?r den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, so beachten Sie bitte, dass jede Form der Kenntnisnahme, Ver?ffentlichung, Vervielf?ltigung oder Weitergabe des Inhalts dieser E-Mail unzul?ssig ist. Wir bitten Sie, sich in diesem Fall mit dem Absender der E-Mail in Verbindung zu setzen. Wir m?chten Sie au?erdem darauf hinweisen, dass die Kommunikation per E-Mail ?ber das Internet unsicher ist, da f?r unberechtigte Dritte grunds?tzlich die M?glichkeit der Kenntnisnahme und Manipulation besteht

Important Note: The information contained in this e-mail is confidential. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately. We also would like to inform you that communication via e-mail over the internet is insecure because third parties may have the possibility to access and manipulate e-mails.
Sorry, only registered users may post in this forum.

Click here to login