OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: GreenSpace10 on May 18, 2020, 08:28:03 am

Title: [SOLVED] HAProxy IP Based ACL
Post by: GreenSpace10 on May 18, 2020, 08:28:03 am
I recently switched to OPNsense, and I for the most part have everything operating smoothly. I am running into issues with HAProxy with regards to limiting what passes through.

I have about 40ish services I have routed through HAproxy and thus far is operating ok. what I would like to do is limit access to a few of them from only the local clients.

I noticed under conditions there is a `Source IP matches specified IP` which when I configure the rule and put it in the backend rules  I could get it to function, but I have 100's of IPs to add which is not a viable option. is it possible to add IP ranges, or subnets?

The other option I tried is `Source IP is Local` but that rule didn't seem to function, I was able to access the server from a number of outside IP's.

does anyone have experience with this type of setup or have any suggestions?

Thanks,
Title: Re: HAProxy IP Based ACL
Post by: cmdr.adama on May 20, 2020, 01:00:18 pm
Could you please post what you currently have in your haproxy config?
Title: Re: HAProxy IP Based ACL
Post by: GreenSpace10 on May 21, 2020, 05:39:16 pm
Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    # NOTE: Could be a security issue, but required for some feature.
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode                                                                                                             775 level admin
    nbproc                      1
    nbthread                    1
    tune.ssl.default-dh-param   2048
    spread-checks               0
    tune.chksize                16384
    tune.bufsize                16384
    tune.lua.maxmem             0
    log /var/run/log local0 info

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats


# Frontend: domain.com ()
frontend domain.com
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl  crt-list /tmp/haproxy/ssl/5ec1ceed0ad                                                                                                            936.61713224.certlist
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: eir
    acl acl_5ec1ce52a22c11.86005378 hdr(host) -i blah.domain.com
    # ACL: plex
    acl acl_5ec1f1ed6cf9d6.91016871 hdr(host) -i plex.domain.com
    # ACL: hassio
    acl acl_5ec1e0423f9969.01800467 hdr(host) -i jarvis.domain.com
    # ACL: bitwarden
    acl acl_5ec1f963768eb6.70249940 hdr(host) -i pass.domain.com
    # ACL: unifi
    acl acl_5ec1f9da8de383.42775802 hdr(host) -i unifi.domain.com
    # ACL: radarr
    acl acl_5ec1f9ada21918.33541377 hdr(host) -i radarr.domain.com
    # ACL: sonarr
    acl acl_5ec1f9c29b9b33.61902860 hdr(host) -i sonarr.domain.com
    # ACL: jackett
    acl acl_5ec1f986b73ff8.35408048 hdr(host) -i jackett.domain.com

    # ACTION: eir_action
    use_backend test_eir if acl_5ec1ce52a22c11.86005378
    # ACTION: plex
    use_backend plex if acl_5ec1f1ed6cf9d6.91016871
    # ACTION: hassio
    use_backend hassio if acl_5ec1e0423f9969.01800467
    # ACTION: bitwarden
    use_backend bitwarden if acl_5ec1f963768eb6.70249940
    # ACTION: unifi
    use_backend unifi if acl_5ec1f9da8de383.42775802
    # ACTION: radarr
    use_backend radarr if acl_5ec1f9ada21918.33541377
    # ACTION: sonarr
    use_backend sonarr if acl_5ec1f9c29b9b33.61902860
    # ACTION: jackett
    use_backend jackett if acl_5ec1f986b73ff8.35408048

# Frontend: http_to_https ()
frontend http_to_https
    bind 0.0.0.0:80 name 0.0.0.0:80
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: http
    acl acl_5ec1d5269b4ee9.64132240 req.proto_http

    # ACTION: redirect_to_https
    http-request redirect scheme https code 301 if acl_5ec1d5269b4ee9.64132240


# Backend: acme_challenge_backend (Added by Let's Encrypt plugin)
backend acme_challenge_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server acme_challenge_host 127.0.0.1:43580

# Backend: test_eir ()
backend test_eir
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: Local
    acl acl_5ec1c9bc432122.19537709 src_is_local

    # ACTION: Local_Access
    http-request deny if !acl_5ec1c9bc432122.19537709

    http-reuse safe
    server srv_eir_webserver eir.domain.com:80

# Backend: hassio ()
backend hassio
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server doc_hassio 10.0.40.11:8123 check inter 2s

# Backend: plex ()
backend plex
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server doc_plex 10.0.70.100:32400 check inter 2s

# Backend: bitwarden ()
backend bitwarden
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server doc_bitwarden 10.0.70.111:80 check inter 2s

# Backend: jackett ()
backend jackett
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server doc_jackett 10.0.20.89:9117 check inter 2s

# Backend: nzbget ()
backend nzbget
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: Local
    acl acl_5ec1c9bc432122.19537709 src_is_local

    # ACTION: Local_Access
    http-request deny if !acl_5ec1c9bc432122.19537709

    http-reuse safe
    server doc_nzbget 10.0.20.81:6789 check inter 2s

# Backend: radarr ()
backend radarr
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server doc_radarr 10.0.70.105:7878 check inter 2s

# Backend: sonarr ()
backend sonarr
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server doc_sonarr 10.0.70.106:8989 check inter 2s

# Backend: unifi ()
backend unifi
    # health check: Socket
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: Local
    acl acl_5ec1c9bc432122.19537709 src_is_local

    # ACTION: Local_Access
    http-request deny if !acl_5ec1c9bc432122.19537709

    http-reuse safe
    server doc_unifi 10.0.10.40:8443 check inter 2s
Title: Re: HAProxy IP Based ACL
Post by: cmdr.adama on May 22, 2020, 12:20:16 pm
https://cbonte.github.io/haproxy-dconv/2.1/configuration.html#7.3.3-src_is_local
Quote
src_is_local : boolean
Returns true if the source address of the incoming connection is local to the
system, or false if the address doesn't exist on the system, meaning that it
comes from a remote machine. Note that UNIX addresses are considered local.
It can be useful to apply certain access restrictions based on where the
client comes from (e.g. require auth or https for remote machines). Please
note that the check involves a few system calls, so it's better to do it only
once per connection.

So... If I read that correctly, it would work if the IP is local to the FW i.e. an interface IP.

Have you tried using "Source IP matches a specific IP" with a range i.e 10.0.0.0/24?
Title: Re: HAProxy IP Based ACL
Post by: GreenSpace10 on May 23, 2020, 07:20:59 am
I seen that after the fact, and was able to play around and figure it out. Also I had placed the IP rule in the backend pool rules section which did not work either, after placing it in with the match rules they started functioning.

thanks for your help!
Title: Re: [SOLVED] HAProxy IP Based ACL
Post by: kebek on August 28, 2022, 10:03:59 pm
Code: [Select]
# Backend: filemanager_backend (File Browser)
backend filemanager_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    # ACL: ipIsInLocalNetwork_condition
    acl acl_630bb0033adfc2.41301877 src 10.1.1.0/8

    # ACTION: ipIsInLocalNetwork_rule
    http-request deny if !acl_630bb0033adfc2.41301877
    http-reuse safe
    server filemanager_server 10.1.1.10:8000

Another solution where you don't have to deal with booleans