Heads up! This post was written 7 years ago. Some information might be outdated or may have changed since then.
Haproxy is an awesome load balancer for TCP and HTTP connections. In this short post we will see how to secure bind by source IP address Configuration of HaProxy to allow and reject connections by IP Address: For doing this we will use ACL to check source IP and based on it we will decide how to proceed.
In my use case I want to publish RabbitMQ management interface to few public users. It will be served through different from 80/443 port. So my config looks like: 
listen port_5672
    bind :15672
    mode tcp
    acl network_allowed src 1.1.1.1 2.2.2.2.2
    tcp-request connection reject if !network_allowed
    server rmq_rmq1_1 127.0.0.1:25672 check
Note: RabbitMQ management interface is running on port 25672
So as you can see I’m adding new listener on port 15672 which backend will be 127.0.0.1:25672. Interesting part here is ACL conditions 
acl network_allowed src 1.1.1.1 2.2.2.2.2
tcp-request connection reject if !network_allowed
It’s a pretty straightforward and self-explanatory. Of course this can be used in frontend section as well.
For example: 
frontend www
    bind *:80
    mode tcp
    acl network_allowed src 1.1.1.1 2.2.2.2
    tcp-request connection reject if !network_allowed
    use_backend backend_server_original

Happy codding!

Back to all posts