# you may want to add a prefix to the logs, so you can easily filter them in your log-processing system
# see also: https://www.haproxy.com/blog/haproxy-log-customization
logformat_tcp: "{% raw %}TCP: %ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq {%[capture.req.hdr(0)]|%[capture.req.hdr(1)]}{% endraw %}"
# logformat_http: "HTTP: %ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
haproxy:
geoip:
enable: true
token: "<YOUR TOKEN>"
frontends:
fe_mail_smtp:
mode: 'tcp'
bind: ['[::]:25 v4v6']
routes:
be_mail_smtp:
lines:
- "log-format \"{{ logformat_tcp }}\""
fe_mail_imap:
mode: 'tcp'
bind: ['[::]:993 v4v6']
geoip:
enable: true
routes:
be_mail_imap:
filter_country: ['SI']
lines:
- "log-format \"{{ logformat_tcp }}\""
default_backend: 'be_fallback_tcp'
backends:
be_mail_smtp:
mode: 'tcp'
servers: 'mail-gateway 192.168.0.10:25'
be_mail_imap:
mode: 'tcp'
servers: 'mail-server 192.168.0.11:993'
be_fallback_tcp:
mode: 'tcp'
lines: 'tcp-request content reject'For services and haproxy.cfg see Example GeoIP
# logs
root@test-ag-haproxy-tcp:/# journalctl -u haproxy -n 200 | grep TCP
> May 05 15:55:57 lb01 haproxy[99127]: TCP: ::ffff:193.222.96.0:57424 [05/May/2024:15:55:57.548] fe_mail_smtp be_mail_smtp/mail-gateway 1/25/274 297 -- 3/1/0/0/0 0/0 {AT|8412}
root@test-ag-haproxy-tcp:/# cat /etc/haproxy/conf.d/frontend.cfg
> # Ansible managed: Do NOT edit this file manually!
> # ansibleguy.infra_haproxy
>
> frontend fe_mail_smtp
> mode tcp
> bind [::]:25 v4v6
>
> log-format "TCP: %ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq {%[capture.req.hdr(0)]|%[capture.req.hdr(1)]}"
>
> # BACKEND be_mail_smtp
> use_backend be_mail_smtp
>
> frontend fe_mail_imap
> mode tcp
> bind [::]:993 v4v6
>
> # GEOIP
> acl private_nets src 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.0/8 ::1
> tcp-request inspect-delay 500ms
>
> ## GEOIP COUNTRY
> tcp-request content set-var(txn.geoip_country) str(0) if private_nets
> tcp-request content lua.lookup_geoip_country if !{ var(txn.geoip_country) -m found }
> tcp-request content capture var(txn.geoip_country) len 2
>
> ## GEOIP ASN
> tcp-request content set-var(txn.geoip_asn) int(0) if private_nets
> tcp-request content lua.lookup_geoip_asn if !{ var(txn.geoip_asn) -m found }
> tcp-request content capture var(txn.geoip_asn) len 10
>
> log-format "TCP: %ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq {%[capture.req.hdr(0)]|%[capture.req.hdr(1)]}"
>
> # BACKEND be_mail_imap
> acl be_mail_imap_filter_country var(txn.geoip_country) -m str -i SI
> use_backend be_mail_imap if be_mail_imap_filter_country
>
> default_backend be_fallback_tcp
root@test-ag-haproxy-tcp:/# cat /etc/haproxy/conf.d/backend.cfg
> # Ansible managed: Do NOT edit this file manually!
> # ansibleguy.infra_haproxy
>
> backend be_mail_smtp
> mode tcp
>
> server mail-gateway 192.168.0.10:25 check
>
> backend be_mail_imap
> mode tcp
>
> server mail-server 192.168.0.11:993 check
>
> backend be_fallback_tcp
> mode tcp
>
> tcp-request content reject
>
> backend be_haproxy_geoip
> server haproxy_geoip 127.0.0.1:8406 check