HAProxy Backend ACL: can i resolve a hostname and use the ip address to authorize the connection?

Question

we use haproxy for multiple backends that sometimes needs to be accessible only from intranet, so the in the backend configuration i use this:

backend srv-web-http-dev_ipvANY
    mode            http
    id          105
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    acl         INTERNAL_LANS   src 172.1.0.0/16
    acl         INTERNAL_LANS   src 172.2.0.0/16
    acl         INTERNAL_LANS   src 172.3.0.0/16
    http-response allow  if  INTERNAL_LANS
    http-response deny 
    server          srv-web-01 172.1.2.3:888 id 117 check inter 1000  resolvers  

Now, a third party developer should connect from the outside and he asked me if i could resolve a dns query to get the ip to be authorized, as he use dyndns to get the right ip as he roam across the country.

For example: record A mynameisdev.devdomain.com -> 101.102.103.104

And get 101.102.103.104 authorized to connect to the backend srv-web-http-dev_ipvANY.

I checked on the haproxy docs and i can't see how i could get this to work. Seems that there isn't a method to resolve a dns query and use the resulted ip in the ACL check (for the backend section)

Answer 1

As you don't show the output of haproxy -vv we don't know which HAProxy version do you use. Therefore Link I here the latest version from the doc.

You can use do-resolve to resolve an IP.

Partly copied from doc and untested.

resolvers mydns
  nameserver local 127.0.0.53:53
  nameserver google 8.8.8.8:53
  # some more config for resolvers section

frontend fe
  bind 10.42.0.1:80
  http-request do-resolve(txn.myip,mydns,ipv4) src
  http-request capture var(txn.myip) len 40
  # more config

backend srv-web-http-dev_ipvANY

  # more config 

  http-response allow  if  { var(txn.myip) -m ip 101.102.103.104/32 }

  # more config 

That's the link to the resolvers section