[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: source IP restriction on routes



*Sorry for the duplicate email Sebastian - the users list rejected the original mail*

You would need a customized haproxy config template but you could add something like this in the 2 frontends public[_ssl] (or to specific backends if you need more granular control on a per-backend basis): 

acl allowed 10.1.2.3 10.4.5.6 172.16.10.0/24 192.168.1.0/24
block if !allowed

Or alternatively you can check if the src is in a whitelist ala:

tcp-request connection accept if { src -f /path/to/allowed.lst }     #  or ... connection reject if { src -f /path/to/denied.lst }


And its also possible to do the same with maps (and map_ip) - allow/deny list. 

You'd need to use a config map for your customized template. See: https://docs.openshift.org/latest/install_config/router/customized_haproxy_router.html#using-configmap-replace-template

HTH

On Mon, Oct 17, 2016 at 2:39 AM, Sebastian Wieseler <sebastian myrepublic com sg> wrote:
Hi guys,

Is it possible with router (s, sharding) to restrict access on IP level?

We want to expose various applications via various routers, but
restrict access via source IP addresses,
so that different source IP addresses can only access allowed applications.

How can we do that?

Thanks a lot in advance.
Greetings,
  Sebastian

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users



--
Ram//
main(O,s){s=--O;10<putchar(3^O?97-(15&7183>>4*s)*(O++?-1:1):10)&&\
main(++O,s++);}


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]