Nginx
HAProxy 配置中的多個 forwardfor 命令
forwardfor在 HAProxy 中,除了下面的幾個網路(多個網路)之外,我想要一切frontend main bind myip:5356-60000 mode http option http_proxy option forwardfor except 127.0.0.0/8 #1st network option forwardfor except 1.1.1.1/32 #2nd network option forwardfor except 2.2.2.2/32 #3rd network option forwardfor except 3.3.3.3/32 #4th network maxconn 950 timeout client 30s default_backend mybackendserver這不起作用,而不是不轉發所有指定的網路,它只適用於最後一個(第 4 個網路)。
每個
option forwardfor except my-network-here命令都會覆蓋前一個命令,而不是附加它們。除了多個網路的白名單外,如何實現轉發所有內容?
我最終使用了一個有點老套的解決方案,它不是我的首選,但它可以滿足我的需求。在 haproxy 配置中,我使用了一個 acl 白名單,其中包含我不想轉發的所有 ip。如果請求來自存在於白名單中的 ip,haproxy 將使用與第一個後端相同的第二個後端,只是它不轉發。我基本上將 forwardfor 選項移到後端部分而不是前端。
所以,
frontend main bind myip:5356-60000 mode http option http_proxy maxconn 950 timeout client 30s acl white_list_noforward src 1.1.1.1 2.2.2.2 3.3.3.3 etc.. #explanation: if the ip is not found in the whitelist, use the backend_that_forwards, else, and the ip is in the whitelist use the backend_that_DOESNT_forward use_backend backend_that_forwards if !white_list_noforward use_backend backend_that_DOESNT_forward if white_list_noforward #default to the backend that forwards just in case something goes wrong default_backend use_backend backend_that_forwards backend_that_forwards #forwards client ip mode http option forwardfor except 127.0.0.0/8 # <-- THIS forwards the real client ip except 127.0.0.0/8 balance roundrobin timeout connect 5s timeout server 5s server static 127.0.0.1:80 # same server for both backends backend_that_DOESNT_forward #DOES NOT forward the client-ip (No option forwardfor is used here), used to handle all requests coming in from ips that I do not wish to forward for mode http balance roundrobin timeout connect 5s timeout server 5s server static 127.0.0.1:80 # same server for both backends