Skip to content

Introduce an ACL for blocking on tcp layer#882

Open
hoffmaen wants to merge 4 commits intocloudfoundry:masterfrom
sap-contributions:tcp-blocking
Open

Introduce an ACL for blocking on tcp layer#882
hoffmaen wants to merge 4 commits intocloudfoundry:masterfrom
sap-contributions:tcp-blocking

Conversation

@hoffmaen
Copy link
Contributor

@hoffmaen hoffmaen commented Feb 26, 2026
edited
Loading

TCP-Level CIDR Blocking

Introduces a new property ha_proxy.cidr_blocklist_tcp that enables blocking client connections at the TCP layer, before TLS negotiation occurs.

Implementation

  • Property: ha_proxy.cidr_blocklist_tcp (optional array of CIDRs or base64-encoded gzipped string)
  • Configuration File: /var/vcap/jobs/haproxy/config/blocklist_cidrs_tcp.txt
  • Behavior: CIDRs in the blocklist are rejected immediately after TCP connection establishment
  • Dynamic Updates: CIDRs can be added or removed on-the-fly via the HAProxy socket without reloading: 
    # Add CIDR to blocklist
echo 'add acl /var/vcap/jobs/haproxy/config/blocklist_cidrs_tcp.txt 10.0.1.1/24' | socat - /var/vcap/sys/run/haproxy/stats.sock

# Remove CIDR from blocklist
echo 'del acl /var/vcap/jobs/haproxy/config/blocklist_cidrs_tcp.txt 10.0.1.1/24' | socat - /var/vcap/sys/run/haproxy/stats.sock

Connection Flow for Blocked Clients

For HTTPS connections:

  1. Client establishes TCP connection to HAProxy
  2. Client initiates TLS handshake (Client Hello)
  3. HAProxy terminates connection (TCP FIN)

This approach blocks clients before the expensive TLS handshake completes, improving performance and reducing resource consumption.

Limitations

  • No logging available for connections rejected at this stage
  • The ACL and rejection rule are always present in the HAProxy configuration, even when the blocklist is empty

@plowin plowin added the run-ci Allow this PR to be tested on Concourse label Feb 27, 2026
@plowin plowin assigned a18e and unassigned Mrizwanshaik Mar 3, 2026
a18e added 2 commits March 5, 2026 14:08
@a18e
refactor: Rename blocklist configuration from cidr_blocklist_tcp to t…
f219172 
…cp_blacklist_cidrs

to align with existing blacklist property & highlight difference
@a18e
test: Acceptance test for TCP-layer CIDR blacklist
6ae9863
@a18e a18e added run-ci Allow this PR to be tested on Concourse and removed run-ci Allow this PR to be tested on Concourse labels Mar 5, 2026
@a18e a18e marked this pull request as ready for review March 5, 2026 13:10
@a18e a18e requested review from a team and CFN-CI as code owners March 5, 2026 13:10
a18e
a18e previously approved these changes Mar 5, 2026
View reviewed changes
Copy link
Contributor

@a18e a18e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preliminary approval to trigger CI-run

@github-project-automation github-project-automation bot moved this from Inbox to Pending Merge | Prioritized in Application Runtime Platform Working Group Mar 5, 2026
a18e
a18e approved these changes Mar 5, 2026
View reviewed changes
Copy link
Contributor

@a18e a18e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Preliminary approval to trigger CI-run No2.

maxmoehl
maxmoehl requested changes Mar 5, 2026
View reviewed changes
jobs/haproxy/templates/tcp_blacklist_cidrs.txt.erb
Copy link
Member

@maxmoehl maxmoehl Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use inclusive language for any new files / properties.

mv tcp_blacklist_cidrs.txt.erb tcp_blocklist_cidrs.txt.erb

Copy link
Contributor Author

@hoffmaen hoffmaen Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or just revert the changes related to the filename at all. Suffixing the filename for the exact purpose makes more sense to me than a prefix.

Copy link
Member

@maxmoehl maxmoehl Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a new file, not sure what you mean by reverting.

Copy link
Contributor Author

@hoffmaen hoffmaen Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Revert f219172

Copy link
Member

@maxmoehl maxmoehl Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I don't care about the ordering of the terms in the filename.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxmoehl maxmoehl maxmoehl requested changes

@a18e a18e a18e approved these changes

@CFN-CI CFN-CI Awaiting requested review from CFN-CI CFN-CI is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@a18e a18e

Labels

run-ci Allow this PR to be tested on Concourse

Projects

Application Runtime Platform Working Group
Status: Pending Merge | Prioritized

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hoffmaen @a18e @maxmoehl @plowin @Mrizwanshaik