Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

[meyergru]

I have a somewhat difficult question: How can I implement a rule to allow "local" traffic only for specific named backends?

That means, I want to selectively block external access for specific domains.

I know how this works for IPv4: you can simply create a rule with a condition based on RFC1918 IPs and create a 4xx response if if does not match.

However, my situation is that my LAN clients use IPv6 GUAs generated from dynamic prefixes as assigned by my ISP, so I cannot specify the prefix to match. The WAN IPv6 is also from that prefix ("Request prefix only") and it is the target for the DNS names that HAproxy handles. Since that IPv6 always has more priority than any IPv4 or ULA IPv6, it will be the target for the HTTP(S) requests, thus NAT66 will not really cut it.

Access to lower layers than 4 is impossible within HAproxy, so I cannot use hop limits either. I have not even found a way to ask for the inbound interface because of this restriction.

All solutions I have pondered are too crude and involve scripting or using split DNS. Port-forwarding is also questionable, given the fact that there are internal layer 4 redirects to localhost with this setup already.