在使用haproxy来作为tcp代理时,需要对某些IP做限制。用iptables也可以实现的。 顺道看了看haproxy手册,看看haproxy本身有是否提供方法来限制。要熟练使用某款应用需要熟读手册,手册是最权威,最详细的。好了,不罗嗦了,来看看haproxy怎么实现的:
Syntax
tcp-request content accept [{if | unless} <condition>]
Sections
| Defaults | Frontend | Listen | Backend |
| No | Yes | Yes | No |
Description文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
During TCP content inspection, the connection is immediately validated if the condition is true (when used with "if") or false (when used with "unless"). Most of the time during content inspection, a condition will be in an uncertain state which is neither true nor false. The evaluation immediately stops when such a condition is encountered. It is important to understand that "accept" and "reject" rules are evaluated in their exact declaration order, so that it is possible to build complex rules from them. There is no specific limit to the number of rules which may be inserted.文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
Note that the "if/unless" condition is optional. If no condition is set on the action, it is simply performed unconditionally.文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
If no tcp-request content rules are matched, the default action already is "accept". Thus, this statement alone does not bring anything without another reject statement.文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
Syntax
tcp-request content reject [{if | unless} <condition>]
Sections
| Defaults | Frontend | Listen | Backend |
| No | Yes | Yes | No |
Description文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
During TCP content inspection, the connection is immediately rejected if the condition is true (when used with "if") or false (when used with "unless"). Most of the time during content inspection, a condition will be in an uncertain state which is neither true nor false. The evaluation immediately stops when such a condition is encountered. It is important to understand that "accept" and "reject" rules are evaluated in their exact declaration order, so that it is possible to build complex rules from them. There is no specific limit to the number of rules which may be inserted.文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
Note that the "if/unless" condition is optional. If no condition is set on the action, it is simply performed unconditionally.文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
If no "tcp-request content" rules are matched, the default action is set to "accept".文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
配置实例如下:文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode http
log global
option dontlognull
option httpclose
#option httplog
option tcplog
#option forwardfor
option redispatch
timeout connect 10000 # default 10 second time out if a backend is not found
timeout client 300000
timeout server 300000
maxconn 60000
retries 3
frontend tcp-2013-front
bind *:2013
mode tcp
default_backend tcp-2013-back
tcp-2013-back
mode tcp
balance leastconn
tcp-request content accept if { src -f /usr/local/haproxy/white_ip_list }
tcp-request content reject
server tcp-2013 10.1.27.20:2013
white_ip_list白名单文件一行一个IP或者IP段。文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
如需转载请注明出处:https://www.ttlsa.com/html/3521.html文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/ 文章源自运维生存时间-https://www.ttlsa.com/cluster/haproxy-white-list-settings/
1F
注释都没有,怎么看