Unix & Linux Asked by Zili on November 26, 2021
I would like to define OpenVpn network in haproxy ACLs.
OpenVPN server and haproxy is running on the same server (X.X.X.X/32).
It is possible to set up in haproxy to allow requests only from the OpenVPN network? I tried something like this, but it is not working:
acl vpnnetwork src 10.10.0.0/16
Thanks in Advance
I’m attaching my OpenVPN conf file:
port 1194
proto udp6
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
crl-verify /etc/openvpn/keys
crl-verify /etc/openvpn/keys/ca-crl.pem
tls-auth /etc/openvpn/keys/ta.key 0
tls-server
auth SHA256
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
client-to-client
server 10.10.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
keepalive 5 30
persist-key
persist-tun
user nobody
group nogroup
status openvpn-status.log
status-version 1
log-append /var/log/openvpn.log
verb 3
Here is my haproxy cfg what is working for me:
frontend http_in
mode http
option httplog
bind *:80
option forwardfor
http-request deny if !{ src 10.10.0.0/16 }
acl discourse_acl hdr(host) -i discourse.test.com
use_backend discourse_http if discourse_acl
backend discourse_http
mode http
option httplog
option forwardfor
server discourse_server 10.115.0.2:8080
Domain name discourse.test.com needs to point to 10.10.0.1 (IP from VPN network) and haproxy should be reloaded. If I connect to VPN then discourse.test.com:80 is working, without VPN I cannot browse discourse.test.com.
Answered by Zili on November 26, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP