haproxy tcp IP白名单

 

global
maxconn 20000
ulimit-n 204800
log 127.0.0.1 local3
user haproxy
group haproxy
chroot /var/empty
daemon
pidfile /var/run/haproxy.pid
defaults
log global
mode tcp
retries 3
timeout connect 5s
timeout client 30s
timeout server 30s
option redispatch
option nolinger
no option dontlognull
option tcplog
option log-separate-errors
listen admin_stats
bind 0.0.0.0:2600
mode http
log 127.0.0.1 local3 err
stats refresh 30s
stats uri /haproxy_status
stats realm welcome login\ Haproxy
stats auth admin:Lingting@123
stats hide-version
stats admin if TRUE
frontend mysql_rw
bind 0.0.0.0:6330
mode tcp
acl accept_clients src -f /usr/local/haproxy/etc/iplist.lst
tcp-request content accept if accept_clients
tcp-request content reject
default_backend db_rw
frontend redis_test
bind 0.0.0.0:1637
mode tcp
acl accept_clients src -f /usr/local/haproxy/etc/iplistx.lst
tcp-request content accept if accept_clients
#tcp-request connection accept if { src -f /usr/local/haproxy/etc/iplist.lst }
tcp-request content reject
default_backend redis_lingting_test
backend db_rw
mode tcp
server db1 192.168.1.956:3306 check inter 1500 rise 3 fall 3 weight 2
backend redis_lingting_test
mode tcp
server db1 192.168.1.866:6379 check inter 1500 rise 3 fall 3 weight 2

 

 

 

---------------

其中src、src_port、dst和dst_port就是检查标准creiterion，其后的值就是value。

例如：

acl accept_clients src 192.168.100.0/24
acl reject_clients src 172.16.0.0/16
tcp-request content accept if accept_clients
tcp-request content reject if reject_clients
tcp-request content reject # 此项表明不匹配前两项的默认都拒绝