Package: haproxy
Version: 1.4.8-1
Severity: wishlist

HAproxy supports IPv6, when listening/bind, as well
when forwarding to backend servers. Everything works,
including logging. I do not tested yet balancing using
ip source hashing, but I hope it works.

I have another problem. I have proxy servers behind a HAproxy
in tcp mode, and would like to limit access to this service
to only some IPv6 subnets and IPv6 addresses.

With Ipv4 I would just use
  acl mytrustedclients4 src 10.2.3.0/24
  tcp-request content accept if mytrustedclients4
  tcp-request content reject # rest: ipv6 and not trusted ipv4

With IPv6 I cannot use src, and last tcp-request keyword,
will make them to be rejected. So I need to change
it to actually accept, which will allow traffic,
but will allow any source Ipv6 address,
as well also Ipv4. I can probably workaround this by using:
  acl mytrustedclients4 src 10.2.3.0/24
  acl restofipv4 src 0.0.0.0/0
  tcp-request content accept if mytrustedclients4
  tcp-request content reject if restofipv4
  tcp-request content accept # only ipv6

but still have no way to filter out ipv6 clients
i do not want. I would like to use something like this

  acl mytrustedclients6 src6 2001:470:1234:123::/64

Current workaround is to use ip6tables and iptables
to accept/deny in INPUT filter chains. But having
ipv6 acls in haproxy, just like ipv4, would be often better
solution (especially when need loging,
or want to use more portable solution, or
perform something else than just blocking traffic to some IPv6 addresses).

Thanks.

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/2 CPU cores)
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages haproxy depends on:
ii  adduser                       3.112+nmu2 add and remove users and groups
ii  libc6                         2.11.2-10  Embedded GNU C Library: Shared lib
ii  libpcre3                      8.02-1.1   Perl 5 Compatible Regular Expressi

haproxy recommends no packages.

haproxy suggests no packages.

-- Configuration Files:
/etc/default/haproxy changed [not included]
/etc/haproxy/haproxy.cfg changed [not included]

-- no debconf information



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to