https://briansnelson.com/index.php?action=history&feed=atom&title=HAProxy_Restrict_by_IP_AddressHAProxy Restrict by IP Address - Revision history2026-06-04T02:44:56ZRevision history for this page on the wikiMediaWiki 1.24.1https://briansnelson.com/index.php?title=HAProxy_Restrict_by_IP_Address&diff=1031&oldid=prevBrian: Created page with "==HAProxy Restrict by IP Address== As with any proxy service, you want to block bad ips before they get to the backend servers. With haproxy you can block ips really easy...."2019-12-12T21:24:53Z<p>Created page with "==HAProxy Restrict by IP Address== As with any proxy service, you want to block bad ips before they get to the backend servers. With haproxy you can block ips really easy...."</p>
<p><b>New page</b></p><div>==HAProxy Restrict by IP Address==<br />
<br />
As with any proxy service, you want to block bad ips before they get to the backend servers. With haproxy you can block ips really easy.<br />
<br />
Add the following to your haproxy configuration file<br />
<br />
vim /etc/haproxy/haproxy.cfg<br />
<br />
Add the following to your frontend, are blocking via x-forwarded-for and direct ip access, we do this now so you don't have to later if you decided to use cloudflare or another proxy later<br />
<br />
# Blacklist IP list<br />
acl is-blacklisted-ip hdr_ip(x-forwarded-for,1) -f /etc/haproxy/blacklist.txt<br />
acl is-blacklisted-ip src -m ip -f /etc/haproxy/blacklist.txt<br />
http-request deny if is-blacklisted-ip<br />
<br />
Save then add the blacklist-agent.txt file.<br />
<br />
vim /etc/haproxy/blacklist.txt<br />
<br />
Add some ips to the block list file, you can add lot, you can even block entire countries with this method<br />
<br />
192.168.0.1<br />
<br />
Save and check your configuration<br />
<br />
service haproxy check<br />
<br />
You are looking for<br />
<br />
'''Configuration file is valid'''<br />
<br />
Next restart or start the server to start blocking by ip address<br />
<br />
service haproxy restart/start</div>Brian