How to select a server based on client ip ?

Hi,

If we have 5 servers within a back-end, how can we specify some request to certain server based on client ip?

For example:

backend
server s01
server s02
server s03
server s04
server s05

How can we make all requests comes from 217.192.7.* goes to server s01 ?

Thanks.

See the src entry under section 7.5.1 of the HAProxy docs. There's
actually many examples of this acl you'll find throughout the doc. You'd
use something like this:

frontend http
bind :80
mode http
acl always_s01 src 217.192.7.0/24
use_backend s01 if always_s01
default_backend pool

backend s01
server s01 2.3.4.1:80

backend pool
server s01 2.3.4.1:80
server s02 2.3.4.2:80
server s03 2.3.4.3:80


On Wed, Mar 14, 2012 at 11:09 PM, wsq003 <[email protected]> wrote:

> Hi,
>
> If we have 5 servers within a back-end, how can we specify some request to
> certain server based on client ip?
>
> For example:
>
> backend
> server s01
> server s02
> server s03
> server s04
> server s05
>
> How can we make all requests comes from 217.192.7.* goes to server s01 ?
>
> Thanks.
>

Thanks, Carlo. It works.

But can it be simpler? such as:

frontend http
bind :80
mode http
default_backend pool


backend pool
server s01 2.3.4.1:80
server s02 2.3.4.2:80
server s03 2.3.4.3:80
use_server s01 if { src 217.192.7.0/24 }

We have many servers for different developers, the rules may be complex and changing.
It is not elegant to define hundreds of backend.


From: Carlo Flores
Date: 2012-03-15 14:45
To: wsq003
CC: haproxy
Subject: Re: How to select a server based on client ip ?
See the src entry under section 7.5.1 of the HAProxy docs. There's actually many examples of this acl you'll find throughout the doc. You'd use something like this:


frontend http
bind :80
mode http
acl always_s01 src 217.192.7.0/24
use_backend s01 if always_s01
default_backend pool


backend s01
server s01 2.3.4.1:80


backend pool
server s01 2.3.4.1:80
server s02 2.3.4.2:80
server s03 2.3.4.3:80




On Wed, Mar 14, 2012 at 11:09 PM, wsq003 <[email protected]> wrote:

Hi,

If we have 5 servers within a back-end, how can we specify some request to certain server based on client ip?

For example:

backend
server s01
server s02
server s03
server s04
server s05

How can we make all requests comes from 217.192.7.* goes to server s01 ?

Thanks.

Hey wsq003. I don't believe it can be simpler because of the nature of
creating ACLs in HAProxy. However, you could make this much more elegant
by a) programmatically creating the ACLs and/or b) using something like
haproxy_join ( https://github.com/joewilliams/haproxy_join ) or Puppet's
concat module ( https://github.com/ripienaar/puppet-concat ) to break up
the configuration files into a more readable format.

Even a simpler format that constantly changes would be hairy and needs
automation to not be hairy, right? :)

On Thu, Mar 15, 2012 at 12:39 AM, wsq003 <[email protected]> wrote:

> **
>
> Thanks, Carlo. It works.
>
> But can it be simpler? such as:
>
> frontend http
> bind :80
> mode http
> default_backend pool
>
> backend pool
> server s01 2.3.4.1:80 http://2.3.4.1/
> server s02 2.3.4.2:80 http://2.3.4.2/
> server s03 2.3.4.3:80 http://2.3.4.3/
> use_server s01 if { src 217.192.7.0/24 }
>
> We have many servers for different developers, the rules may be complex
> and changing.
> It is not elegant to define hundreds of backend.
>
>
> *From:* Carlo Flores <[email protected]>
> *Date:* 2012-03-15 14:45
> *To:* wsq003 <[email protected]>
> *CC:* haproxy <[email protected]>
> *Subject:* Re: How to select a server based on client ip ?
> See the src entry under section 7.5.1 of the HAProxy docs. There's
> actually many examples of this acl you'll find throughout the doc. You'd
> use something like this:
>
> frontend http
> bind :80
> mode http
> acl always_s01 src 217.192.7.0/24
> use_backend s01 if always_s01
> default_backend pool
>
> backend s01
> server s01 2.3.4.1:80
>
> backend pool
> server s01 2.3.4.1:80
> server s02 2.3.4.2:80
> server s03 2.3.4.3:80
>
>
> On Wed, Mar 14, 2012 at 11:09 PM, wsq003 <[email protected]> wrote:
>
>> Hi,
>>
>> If we have 5 servers within a back-end, how can we specify some request
>> to certain server based on client ip?
>>
>> For example:
>>
>> backend
>> server s01
>> server s02
>> server s03
>> server s04
>> server s05
>>
>> How can we make all requests comes from 217.192.7.* goes to server s01 ?
>>
>> Thanks.
>>
>
>

Hi,

Le 15/03/2012 08:39, wsq003 a écrit :
> Thanks, Carlo. It works.
> But can it be simpler? such as:
> frontend http
> bind :80
> mode http
> default_backend pool
>
> backend pool
> server s01 2.3.4.1:80
> server s02 2.3.4.2:80
> server s03 2.3.4.3:80
> use_server s01 if { src 217.192.7.0/24 }

If you're in http mode, you may use some tricks to emulate this (Note
that I've never tested it in production).

First, use "cookie" keyword without any actions (no prefix, insert or
rewrite option) :

cookie LB

Add cookie values on each server :

server s01 2.3.4.1:80 cookie s01
server s02 2.3.4.2:80 cookie s02
server s03 2.3.4.3:80 cookie s03

Then enumerate the acls you want to reach a specific server :

acl s01 src 217.192.7.0/24
acl s02 ...


Ask haproxy to add a fake cookie depending on the acl matching :

reqadd Cookie:\ LB=s01 if s01

And maybe you want to force the persistence for such conditions :

force-persist if s01 || s02 ...

To sum up, this gives :

backend pool
mode http
# use option httpclose or option http-server-close
...
cookie LB

server s01 2.3.4.1:80 cookie s01
server s02 2.3.4.2:80 cookie s02
server s03 2.3.4.3:80 cookie s03

acl s01 src 217.192.7.0/24
acl s02 ...

reqadd Cookie:\ LB=s01 if s01

force-persist if s01 || s02 ...

Consider this experimental unless someone confirms he already used this
in production ;-)

--
Cyril Bonté

Hi Cyril,

On Sat, Mar 17, 2012 at 12:46:03AM +0100, Cyril Bonté wrote:
> Hi,
>
> Le 15/03/2012 08:39, wsq003 a écrit :
> >Thanks, Carlo. It works.
> >But can it be simpler? such as:
> >frontend http
> >bind :80
> >mode http
> >default_backend pool
> >
> >backend pool
> >server s01 2.3.4.1:80
> >server s02 2.3.4.2:80
> >server s03 2.3.4.3:80
> >use_server s01 if { src 217.192.7.0/24 }
>
> If you're in http mode, you may use some tricks to emulate this (Note
> that I've never tested it in production).
>
> First, use "cookie" keyword without any actions (no prefix, insert or
> rewrite option) :
>
> cookie LB
>
> Add cookie values on each server :
>
> server s01 2.3.4.1:80 cookie s01
> server s02 2.3.4.2:80 cookie s02
> server s03 2.3.4.3:80 cookie s03
>
> Then enumerate the acls you want to reach a specific server :
>
> acl s01 src 217.192.7.0/24
> acl s02 ...
>
>
> Ask haproxy to add a fake cookie depending on the acl matching :
>
> reqadd Cookie:\ LB=s01 if s01
>
> And maybe you want to force the persistence for such conditions :
>
> force-persist if s01 || s02 ...
>
> To sum up, this gives :
>
> backend pool
> mode http
> # use option httpclose or option http-server-close
> ...
> cookie LB
>
> server s01 2.3.4.1:80 cookie s01
> server s02 2.3.4.2:80 cookie s02
> server s03 2.3.4.3:80 cookie s03
>
> acl s01 src 217.192.7.0/24
> acl s02 ...
>
> reqadd Cookie:\ LB=s01 if s01
>
> force-persist if s01 || s02 ...
>
> Consider this experimental unless someone confirms he already used this
> in production ;-)

Yes it works because req* rules are processed before cookie inspection.
I've used something about similar in some setups, which consisted in
renaming a header "x-something: YZ" to "cookie: SRV=YZ" to get the same
behaviour.

I think I should update the diagram which details all the processing steps
because a number of additions were made and not updated there.

Regards,
Willy