HAProxy Country filtering ACL

It is few years since I have written my IP Country generator. As I recently added new file geoip.txt (warning, big file!) for use with haproxy, I will show you how you can easily create ACL in HAproxy to filter specific country.

There are many articles about HAProxy GeoIP, but they are all using Maxmind’s GeoIP database and iprange tool, which you have to compile and use scripts to generate files…Now you can have daily updated¬†geoip.txt¬†for haproxy easily – just download file geoip.txt file, and put it (for exaple) as /etc/haproxy/geoip.txt. IPv6 ranges are included. You can create cron job to download this file to have update(s).

How to use it? Let’s take webmin backend definition in my haproxy.cfg as example. It will allow access only from LAN and Slovakia and Czech Republic:

backend webmin
        mode http
        option forwardfor
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
# ...
#       GeoIP ACL - allow only from SK and CZ
        acl acl_geoloc_sk_cz src,map_ip(/etc/haproxy/geoip.txt) -m reg -i (SK|CZ)
        acl acl_internal src  10.0.0.0/8 192.168.0.0/16
        http-request deny if !acl_geoloc_sk_cz !acl_internal

Yes, it is so easy.

Leave a Reply

Your email address will not be published. Required fields are marked *