How to Implement IP Blocking in HAProxy Like Apache’s “deny from” Directive


2 views

HAProxy provides powerful Access Control Lists (ACLs) that allow you to implement IP-based restrictions similar to Apache's deny from directive. The main difference is that HAProxy handles this at the load balancing layer rather than the web server layer.


frontend http-in
    bind *:80
    acl blocked_ips src 192.168.1.100 10.0.0.5
    http-request deny if blocked_ips
    default_backend servers

For blocking entire ranges, you can use CIDR notation:


acl bad_network src 192.168.1.0/24
http-request deny if bad_network

For large lists, store IPs in a file and reference it:


acl malicious_ips src -f /etc/haproxy/blocked_ips.lst
http-request deny if malicious_ips

Combine with GeoIP database for regional blocking:


acl country_block src_geoip -i CN
http-request deny if country_block


acl abusive_clients src_http_req_rate(abuse) gt 50
acl known_abuser src -f /etc/haproxy/abusers.lst
http-request deny if abusive_clients || known_abuser

Add logging to monitor blocked attempts:


http-request deny if blocked_ips
    capture request header User-Agent len 64
    log-format "%ci:%cp [%t] %f %b/%s %Tq/%Tw/%Tc/%Tr/%Tt %st %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"

For modern setups, consider using HAProxy's Runtime API:


echo "add acl blocked_ips 203.0.113.45" | socat stdio /var/run/haproxy/admin.sock
echo "show acl blocked_ips" | socat stdio /var/run/haproxy/admin.sock

HAProxy provides powerful access control features similar to Apache's "deny from" directive, but implemented differently. Unlike Apache's mod_access, HAProxy handles IP filtering at the load balancer level before requests reach backend servers.

The most common method uses Access Control Lists (ACLs) in your HAProxy configuration:

frontend http-in
    bind *:80
    acl restricted_ip src 192.168.1.100
    http-request deny if restricted_ip
    default_backend servers

For blocking entire subnets, you can use CIDR notation:

acl malicious_network src 203.0.113.0/24
http-request deny if malicious_network

For large blocklists, maintain IPs in separate files:

acl blocked_ips src -f /etc/haproxy/blocked_ips.lst
http-request deny if blocked_ips

HAProxy can automatically block abusive IPs:

frontend http-in
    stick-table type ip size 1m expire 1h store http_req_rate(10s)
    tcp-request content track-sc0 src
    acl abuse sc0_http_req_rate gt 100
    acl whitelist src -f /etc/haproxy/whitelist.lst
    http-request deny if abuse !whitelist

Block entire countries using the GeoIP module:

acl is_china src -f /etc/haproxy/geoip/cn.force

For optimal performance:

  • Place frequently matched ACLs first
  • Use IP blocking in TCP mode when possible
  • Consider using ipset with large blocklists

Add custom error responses:

errorfile 403 /etc/haproxy/errors/403.http