# HAProxy: Restrict access by IP address

*Keep in mind that this is a static configuration, which is not very effective against [adversarial attacks](https://blackfedora.dev/adversarial-cycle) when an attacker constantly changes their tactics.*

By default HAProxy configuration file is located at `/etc/haproxy/haproxy.cfg`. To block a single IP address we can use a conditional `http-request deny` directive. 

```javascript
http-request deny if { src 8.8.8.8/32 }
```

If we need to apply it to a given endpoint we can use the keyword `path`. 

```javascript
http-request deny if { path -i -m beg /login } { src 8.8.8.8/32 }
```

Note that the IP address is in the CIDR notation, we can use it to restrict the access to an entire subnet. Adding `!` will invert the rule and allow the access to a given subnet, restricting it to the rest.

```javascript
http-request deny if { path -i -m beg /login } !{ src 8.8.8.0/24 }
```

### Managing a denylist

HAProxy allows to store the list of IP addresses in a separate file on the filesystem. Each IP address separated by a newline.

```bash
# cat blocked.ips
8.8.8.8
12.12.12.0/24
```

Then we can include them into the configuration file

```
http-request deny if { path -i -m beg /login } { src -f /etc/haproxy/blocked.ips }
```

### Applying restrictions on TCP level

If we want to apply the restrictions deeper in the stack we can use `tcp-request connection reject` for that.

```javascript
tcp-request connection reject if { src 8.8.8.8/32 }
```

### Applying configuration

```bash
service haproxy check
```
to test the validity of the configuration file.

```bash
service haproxy reload
```
to reload the config.
