How to restrict access for a back-end just to the internal network












1














I have an HAProxy with more than twenty backends and I need to limit access to one specific backend, CP-API.MACKMIL.COM, to the following internal network subnets:



10.10.0.0/16
10.20.0.0/16
10.30.0.0/16
10.40.0.0/16


Currently, with the following query, this domain, CP-API.MACKMIL.COM, can be accessed from the outside world but I want to limit that.



curl -vvv -H'Host: cp-api.mackmil.com' https://api.mackmil.com/initializations


My Haproxy config is as follows,



frontend http-https
bind :80 accept-proxy
bind :443 accept-proxy ssl crt /etc/pki/tls/private/wildcard.mackmil.com.pem crt /etc/pki/tls/private/wildcard.mackmil.de.pem

acl host_cp hdr(host) -i cp-api.mackmil.com
acl host_cp hdr(host) -i cp-api.prod.mackmil.com


use_backend app_cp if host_cp

backend app_cp
server swarm-worker_10.10.30.199 10.10.30.199:64042 check
server swarm-worker_10.10.40.114 10.10.40.114:64042 check
server swarm-worker_10.20.40.159 10.20.40.159:64042 check
server swarm-worker_10.20.30.190 10.20.30.190:64042 check
server swarm-worker_10.30.40.143 10.30.40.143:64042 check
server swarm-worker_10.30.40.161 10.30.40.161:64042 check
server swarm-worker_10.40.40.107 10.40.40.107:64042 check
server swarm-worker_10.40.40.107 10.40.40.107:64042 check


I am struggling on applying this restriction in HTTP/HTTPS mode for just this endpoint.
How can I apply this restriction for this backend?










share|improve this question





























    1














    I have an HAProxy with more than twenty backends and I need to limit access to one specific backend, CP-API.MACKMIL.COM, to the following internal network subnets:



    10.10.0.0/16
    10.20.0.0/16
    10.30.0.0/16
    10.40.0.0/16


    Currently, with the following query, this domain, CP-API.MACKMIL.COM, can be accessed from the outside world but I want to limit that.



    curl -vvv -H'Host: cp-api.mackmil.com' https://api.mackmil.com/initializations


    My Haproxy config is as follows,



    frontend http-https
    bind :80 accept-proxy
    bind :443 accept-proxy ssl crt /etc/pki/tls/private/wildcard.mackmil.com.pem crt /etc/pki/tls/private/wildcard.mackmil.de.pem

    acl host_cp hdr(host) -i cp-api.mackmil.com
    acl host_cp hdr(host) -i cp-api.prod.mackmil.com


    use_backend app_cp if host_cp

    backend app_cp
    server swarm-worker_10.10.30.199 10.10.30.199:64042 check
    server swarm-worker_10.10.40.114 10.10.40.114:64042 check
    server swarm-worker_10.20.40.159 10.20.40.159:64042 check
    server swarm-worker_10.20.30.190 10.20.30.190:64042 check
    server swarm-worker_10.30.40.143 10.30.40.143:64042 check
    server swarm-worker_10.30.40.161 10.30.40.161:64042 check
    server swarm-worker_10.40.40.107 10.40.40.107:64042 check
    server swarm-worker_10.40.40.107 10.40.40.107:64042 check


    I am struggling on applying this restriction in HTTP/HTTPS mode for just this endpoint.
    How can I apply this restriction for this backend?










    share|improve this question



























      1












      1








      1


      0





      I have an HAProxy with more than twenty backends and I need to limit access to one specific backend, CP-API.MACKMIL.COM, to the following internal network subnets:



      10.10.0.0/16
      10.20.0.0/16
      10.30.0.0/16
      10.40.0.0/16


      Currently, with the following query, this domain, CP-API.MACKMIL.COM, can be accessed from the outside world but I want to limit that.



      curl -vvv -H'Host: cp-api.mackmil.com' https://api.mackmil.com/initializations


      My Haproxy config is as follows,



      frontend http-https
      bind :80 accept-proxy
      bind :443 accept-proxy ssl crt /etc/pki/tls/private/wildcard.mackmil.com.pem crt /etc/pki/tls/private/wildcard.mackmil.de.pem

      acl host_cp hdr(host) -i cp-api.mackmil.com
      acl host_cp hdr(host) -i cp-api.prod.mackmil.com


      use_backend app_cp if host_cp

      backend app_cp
      server swarm-worker_10.10.30.199 10.10.30.199:64042 check
      server swarm-worker_10.10.40.114 10.10.40.114:64042 check
      server swarm-worker_10.20.40.159 10.20.40.159:64042 check
      server swarm-worker_10.20.30.190 10.20.30.190:64042 check
      server swarm-worker_10.30.40.143 10.30.40.143:64042 check
      server swarm-worker_10.30.40.161 10.30.40.161:64042 check
      server swarm-worker_10.40.40.107 10.40.40.107:64042 check
      server swarm-worker_10.40.40.107 10.40.40.107:64042 check


      I am struggling on applying this restriction in HTTP/HTTPS mode for just this endpoint.
      How can I apply this restriction for this backend?










      share|improve this question















      I have an HAProxy with more than twenty backends and I need to limit access to one specific backend, CP-API.MACKMIL.COM, to the following internal network subnets:



      10.10.0.0/16
      10.20.0.0/16
      10.30.0.0/16
      10.40.0.0/16


      Currently, with the following query, this domain, CP-API.MACKMIL.COM, can be accessed from the outside world but I want to limit that.



      curl -vvv -H'Host: cp-api.mackmil.com' https://api.mackmil.com/initializations


      My Haproxy config is as follows,



      frontend http-https
      bind :80 accept-proxy
      bind :443 accept-proxy ssl crt /etc/pki/tls/private/wildcard.mackmil.com.pem crt /etc/pki/tls/private/wildcard.mackmil.de.pem

      acl host_cp hdr(host) -i cp-api.mackmil.com
      acl host_cp hdr(host) -i cp-api.prod.mackmil.com


      use_backend app_cp if host_cp

      backend app_cp
      server swarm-worker_10.10.30.199 10.10.30.199:64042 check
      server swarm-worker_10.10.40.114 10.10.40.114:64042 check
      server swarm-worker_10.20.40.159 10.20.40.159:64042 check
      server swarm-worker_10.20.30.190 10.20.30.190:64042 check
      server swarm-worker_10.30.40.143 10.30.40.143:64042 check
      server swarm-worker_10.30.40.161 10.30.40.161:64042 check
      server swarm-worker_10.40.40.107 10.40.40.107:64042 check
      server swarm-worker_10.40.40.107 10.40.40.107:64042 check


      I am struggling on applying this restriction in HTTP/HTTPS mode for just this endpoint.
      How can I apply this restriction for this backend?







      backend haproxy restrict






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 15 '18 at 15:12

























      asked Nov 14 '18 at 11:41









      Hadi

      165




      165
























          1 Answer
          1






          active

          oldest

          votes


















          1














          It got fixed by putting this in that backend:



          acl internal_subnets src 10.10.0.0/16
          acl internal_subnets src 10.20.0.0/16
          acl internal_subnets src 10.30.0.0/16
          acl internal_subnets src 10.40.0.0/16
          http-request deny if ! internal_subnets





          share|improve this answer





















            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53299427%2fhow-to-restrict-access-for-a-back-end-just-to-the-internal-network%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            It got fixed by putting this in that backend:



            acl internal_subnets src 10.10.0.0/16
            acl internal_subnets src 10.20.0.0/16
            acl internal_subnets src 10.30.0.0/16
            acl internal_subnets src 10.40.0.0/16
            http-request deny if ! internal_subnets





            share|improve this answer


























              1














              It got fixed by putting this in that backend:



              acl internal_subnets src 10.10.0.0/16
              acl internal_subnets src 10.20.0.0/16
              acl internal_subnets src 10.30.0.0/16
              acl internal_subnets src 10.40.0.0/16
              http-request deny if ! internal_subnets





              share|improve this answer
























                1












                1








                1






                It got fixed by putting this in that backend:



                acl internal_subnets src 10.10.0.0/16
                acl internal_subnets src 10.20.0.0/16
                acl internal_subnets src 10.30.0.0/16
                acl internal_subnets src 10.40.0.0/16
                http-request deny if ! internal_subnets





                share|improve this answer












                It got fixed by putting this in that backend:



                acl internal_subnets src 10.10.0.0/16
                acl internal_subnets src 10.20.0.0/16
                acl internal_subnets src 10.30.0.0/16
                acl internal_subnets src 10.40.0.0/16
                http-request deny if ! internal_subnets






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Nov 15 '18 at 15:10









                Hadi

                165




                165






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53299427%2fhow-to-restrict-access-for-a-back-end-just-to-the-internal-network%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Guess what letter conforming each word

                    Port of Spain

                    Run scheduled task as local user group (not BUILTIN)