we use haproxy for multiple backends that sometimes needs to be accessible only from intranet, so the in the backend configuration i use this:
backend srv-web-http-dev_ipvANY
mode http
id 105
log global
timeout connect 30000
timeout server 30000
retries 3
acl INTERNAL_LANS src 172.1.0.0/16
acl INTERNAL_LANS src 172.2.0.0/16
acl INTERNAL_LANS src 172.3.0.0/16
http-response allow if INTERNAL_LANS
http-response deny
server srv-web-01 172.1.2.3:888 id 117 check inter 1000 resolvers
Now, a third party developer should connect from the outside and he asked me if i could resolve a dns query to get the ip to be authorized, as he use dyndns to get the right ip as he roam across the country.
For example: record A mynameisdev.devdomain.com -> 101.102.103.104
And get 101.102.103.104 authorized to connect to the backend srv-web-http-dev_ipvANY.
I checked on the haproxy docs and i can't see how i could get this to work. Seems that there isn't a method to resolve a dns query and use the resulted ip in the ACL check (for the backend section)
As you don't show the output of haproxy -vv we don't know which HAProxy version do you use. Therefore Link I here the latest version from the doc.
You can use do-resolve to resolve an IP.
Partly copied from doc and untested.
resolvers mydns
nameserver local 127.0.0.53:53
nameserver google 8.8.8.8:53
# some more config for resolvers section
frontend fe
bind 10.42.0.1:80
http-request do-resolve(txn.myip,mydns,ipv4) src
http-request capture var(txn.myip) len 40
# more config
backend srv-web-http-dev_ipvANY
# more config
http-response allow if { var(txn.myip) -m ip 101.102.103.104/32 }
# more config
That's the link to the resolvers section