An access control list (ACL) is a security measure implemented within networks and systems that offers fine-grained control over how individual clients can access certain resources or applications. They also determine which actions clients can take. Access control lists can govern access to files, folders, databases, and even specific devices, which are otherwise known as "objects."
How do access control lists (ACLs) work?
ACLs ultimately provide authorization to individual users and groups beyond simply approving or denying access. Compared to role-based access control (RBAC), ACLs offer more individualized control (with some added complexity) over sensitive resources without relying as much on organizational roles or units. While ACLs are easier to manage within a smaller application environment, there's no denying their importance within a greater security suite.
ACLs are lists of rules that examine aspects of the traffic (the source IP, requested path, requested host, or the request rate) and make access or routing decisions based on one or a combination of them. For example, you might only allow five requests every ten seconds from a given IP to a login page.
In a load balancing context, ACLs help your load balancer frontend guard your server backend against unwanted traffic. For example, a load balancer can either block a client outright or redirect them elsewhere based on preconfigured rules. By comparing client-supplied keys, source IP addresses, and more against these lists, the load balancer will pass traffic accordingly.
Access control lists are composed of numerous entries. These are often contained with allowlists or denylists, which function as you'd expect based on their names. It's generally okay to store unencrypted source IP addresses at the load balancing layer, while components that govern API access (like tokens) are hashed to avoid unwanted access in the face of leaks.
Does HAProxy support access control lists (ACLs)?
Yes! ACLs, collectively, are a key component of our multi-layered security approach. They coexist with and operate alongside the HAProxy Enterprise WAF, HAProxy Enterprise Bot Management Module, and Global Rate Limiting features.
HAProxy Enterprise and HAProxy ALOHA have baked-in ACL support that filters traffic based on source IP address, interface, protocol, and port. Each access control list evaluates a statement before returning true or false, which determines whether traffic is blocked or accepted. HAProxy ACLs live within plain text .MAP files. To learn more about ACLs within HAProxy, check out our ACL documentation.