LoadBalancer IP filtering?

I tried adding this on the globals section but it gets stucks on “Reinitializing”:

acl network_allowed src rancher_ip/24 172.17.0.1/16 10.42.0.1/16 
tcp-request connection reject if !network_allowed

What is the trick? :slight_smile:

acl is not allowed in that section so you’re config file is invalid and starting up fails.

Thanks vincent! Does this mean that there is no way to achieve the desired effect using Rancher’s LoadBalancer?

Hello!

Did you find any solution for this question?

Tyia,

Regards,

AR

I don’t believe this is available right now as access to anything other than the global and defaults sections of the HAProxy configuration is not possible. I believe this is due to change but I’m not sure when this will land. Hopefully someone else knows more and will comment. [Update: Just came across this, looks like it’s due in October with v1.2: https://github.com/rancher/rancher/issues/2179]

For now, you could ‘bake your own’ HAProxy image (I’ve a simple one here: https://hub.docker.com/r/itsthenetwork/alpine-haproxy/ you could start with) or consider enforcing restrictions elsewhere (iptables on the host, or on the web servers for instance).

The refactoring of our load balancer should be coming out in our next dev build release (v1.2.0-pre2).

2 Likes

Thanks for your feedback! So for the time being, we build our own custom LB :slight_smile: