frontend main_ssl
bind *:443
mode tcp
option tcplog
# Wait for a client hello for at most 5 seconds
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend cloud_ssl if { req_ssl_sni -i cloud.example.com }
use_backend rproxy_ssl if { req_ssl_sni -i assets.example.com }
use_backend rproxy_ssl if { req_ssl_sni -i support.example.com }
use_backend manage_ssl if { req_ssl_sni -i management.example.com }
backend cloud_ssl
mode tcp
balance roundrobin
server cloud_ssl_server 10.10.5.8:443 check
backend rproxy_ssl
mode tcp
balance roundrobin
server rpoxy_ssl_server 10.10.5.40:443 check
backend manage_ssl
mode tcp
balance roundrobin
server manage_ssl_server 10.10.5.2:443 check
Is it possible to get ‘manage_ssl’ to block all IP addresses except for a small collection in a file or such?
I know that there is some documentation and quite a few Stack Overflow posts but I seem to be lacking an understanding of the syntax / format that this stuff needs to be in.
and no, I can’t just block at the whole proxy level, nor can I do it at the firewall level. The other sites have to be reachable by all users, it’s just one domain that needs to be blocked and IPs whitelisted for.
So I don’t need to do an && statment or something ?
I can just do
use_backend manage_ssl if is_whitelisted
use_backend manage_ssl if { req_ssl_sni -i management.example.com }
or would i have to do something like
use_backend manage_ssl if { req_ssl_sni -i management.example.com } && if is_whitelisted