Skip to content

HAProxy Country filtering ACL

It is few years since I have written my IP Country generator. As I recently added new file geoip.txt (warning, big file!) for use with haproxy, I will show you how you can easily create ACL in HAproxy to filter specific country.

There are many articles about HAProxy GeoIP, but they are all using Maxmind’s GeoIP database and iprange tool, which you have to compile and use scripts to generate files…Now you can have daily updated¬†geoip.txt¬†for haproxy easily – just download file geoip.txt file, and put it (for exaple) as /etc/haproxy/geoip.txt. IPv6 ranges are included. You can create cron job to download this file to have update(s).

How to use it? Let’s take webmin backend definition in my haproxy.cfg as example. It will allow access only from LAN and Slovakia and Czech Republic:

backend webmin
        mode http
        option forwardfor
        http-request set-header X-Forwarded-Port %[dst_port]
        http-request set-header X-Forwarded-Proto https if { ssl_fc }
# ...
#       GeoIP ACL - allow only from SK and CZ
        acl acl_geoloc_sk_cz src,map_ip(/etc/haproxy/geoip.txt) -m reg -i (SK|CZ)
        acl acl_internal src
        http-request deny if !acl_geoloc_sk_cz !acl_internal

Yes, it is so easy.

2 thoughts on “HAProxy Country filtering ACL”

  1. Do you have some shaping to download?
    I download once a day in 8 servers but only one have some issues. Sometimes the curl doesnt complete.

  2. Unfortunately, the geoip.txt file is incomplete and doesn’t contain the full list of countries from the other lists that you generate :'(

Leave a Reply

Your email address will not be published. Required fields are marked *