现在我正在使用nginx关闭来自未知主机的连接并返回444"无响应">
我如何使用nginx前面的haproxy实现相同的目标(节省haproxy和nginx之间的额外步骤(
当前的nginx配置:
server {
# Close connection for unrecognized hosts (444 no response)
listen 80 default_server;
listen [::]:80 default_server;
return 444;
}
这可以使用"静默丢弃"来实现
acl host_example req.hdr(host) -i example.com
http-request silent-drop if not host_example
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-http-request%20silent-drophttps://www.haproxy.com/blog/introduction-to-haproxy-acls/#using-acls-to-block-requests
Ejez 您可以接受来自已知 IP 的连接是 Haproxy 前端特定 IP 的块连接。
参考代码:
- 允许的已知 IP
acl network_allowed src 20.30.40.50 20.30.40.40
use_backend allowed_backend if network_allowed
或
- 仅阻止某些 IP
acl is-blocked-ip src 192.0.2.11 192.0.2.12 192.0.2.18
http-request deny if is-blocked-ip
裁判:
1.https://blog.sleeplessbeastie.eu/2018/03/26/how-to-block-specific-ip-addresses-on-haproxy/
2.https://raymii.org/s/snippets/haproxy_restrict_specific_urls_to_specific_ip_addresses.html