frontend main_ssl
        bind *:443
        mode tcp
        option tcplog

        # Wait for a client hello for at most 5 seconds
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }


        use_backend cloud_ssl if { req_ssl_sni -i cloud.example.com }
        use_backend rproxy_ssl if { req_ssl_sni -i assets.example.com }
        use_backend rproxy_ssl if { req_ssl_sni -i support.example.com }
        use_backend manage_ssl if { req_ssl_sni -i management.example.com }


backend cloud_ssl
        mode tcp
        balance roundrobin
        server cloud_ssl_server 10.10.5.8:443 check

backend rproxy_ssl
        mode tcp
        balance roundrobin
        server rpoxy_ssl_server 10.10.5.40:443 check

backend manage_ssl
        mode tcp
        balance roundrobin
        server manage_ssl_server 10.10.5.2:443 check

Is it possible to get ‘manage_ssl’ to block all IP addresses except for a small collection in a file or such?

I know that there is some documentation and quite a few Stack Overflow posts but I seem to be lacking an understanding of the syntax / format that this stuff needs to be in.

and no, I can’t just block at the whole proxy level, nor can I do it at the firewall level. The other sites have to be reachable by all users, it’s just one domain that needs to be blocked and IPs whitelisted for.

  • BouncyPancakeOPB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    So I don’t need to do an && statment or something ?

    I can just do

    use_backend manage_ssl if is_whitelisted
    use_backend manage_ssl if { req_ssl_sni -i management.example.com }

    or would i have to do something like

    use_backend manage_ssl if { req_ssl_sni -i management.example.com } && if is_whitelisted