1. Home
  2. Balancer
  3. Using ACL’s

Using ACL’s

An access control list (ACL) is a list of permissions attached to an object. An ACL policy would specify which users or system processes are granted access to certain objects, as well as what operations are allowed on those given objects.

Normally these permissions are in the context of the file system, where the objects are the files themselves; when considering the Snapt Balancer however—and because it operates at the Layer 7 of the OSI model—, the permissions that we grant and the objects that we protect are going be at the “application layer”; such as Servers in our Upstreams (server:port pairs).

Let’s see some scenarios in which you can use Snapt’s ACL system to better manage your Back- and Frontends.

For more information about Groups, Frontends and Backends, see What Is the Difference between Groups, Frontends and Backends.

Scenario 1: Stop a Specific Site from Being Load Balanced

Let’s say that you are serving several sites and that you have an application that most certainly requires load balancing, but another companion site that maybe doesn’t (i.e: static content).

Step 1: Check You Have a Backend

In the Balancer, you can sometimes get along with a very simple configuration by just having a Group, which essentially combines Front- and Backend functionality. However, to stop a specific site from being load balanced, you will have to make sure that you have at least one Backend set.

Navigate to:

Balancer > Backend Manager

If under the Active Backends pane in the View Backends tab you can see a Backend that only contains the server you want not to balance, then you’re good to go and jump ahead to Step 4; if not, continue to Step 2.

Step 2: Remove Your Target Server from Your Existing Group or Backend

In order to manage a server separately from a Group or Backend containing several servers, you’ll have to take it out of it and assign it to a new Backend.

Navigate accordingly to either:

Balancer > Group Management
Balancer > Backend Management

Similarly, go under either:

View Groups tab > Active Groups pane > Servers button
View Backends tab > Active Backends pane > Servers button

You’ll be able to see the server that you want to handle separately, so take note of the IP:port pair, and remove it from your Group or Backend by pressing the Delete this server button.

Step 3: Create a Backend with Your Target Server

Now you’ll create a Backend that will contain the server or group of servers that you don’t want to load balance.

Navigate to:

Balancer > Backend Management

Go under:

Add a Backend tab > Add a Backend pane

Give your Backend a name and click on Step 2.

On the next screen, click on Save.

Now that your new Backend has been created, you’ll see it under the Active Backends pane in the View Backends tab.

Click on the Servers button and add the server or list of servers:ports that you collected on Step 2, by clicking on the Add Server button.

Step 4: Create the ACL

You will now create the ACL policy that will exclude this server node from being load balanced.

Navigate to:

Balancer > ACL Management

Step 5: Attach the ACL to your Group or Frontend

Finally, you’ll also have to attach the ACL you’ve created to a Frontend or Group.

Navigate accordingly to:

Balancer > Group Management
Balancer > Frontend Management

Similarly go under:

View Groups tab > Active Groups pane > Attach ACL button
View Frontends tab > Active Frontends pane > Attach ACL button

Once there, for ACL Action click on use_backend and select the Backend you created on Step 3.

For ACL 1 select the ACL you created on Step 4.

Click the Attach ACL button.

Step 6: Attach the ACL to your Backend [optional]

Optionally, if there were multiple servers in the Backend and you need to route to a specific one, you could attach the ACL policy you created in Step 4 to one of the Backends you created on Step 3.

Navigate to:

Balancer > Backend Management

Go under:

View Backends tab > Active Backends pane > Attach ACL button

For ACL Action set use-server and select the server you’ve set on Step 3.

For ACL 1 select the ACL you created on Step 4.

You can safely leave everything else as it is.

Scenario 2: Routing

If you have multiple websites hosted behind your Snapt instance, and only have one of them has public facing IP address, you can setup ACL routing rules to direct incoming traffic to the correct Backend.

Step 1: Create the ACL

Navigate to:

Balancer > ACL Management

Go under:

Add ACL tab > Add an ACL pane

Give your ACL a name and click on Continue.

There are multiple match criterion that you can use, so pick the one that best suits your routing needs, or chain a combination of them.

Step 2: Attach the ACL

You’ll be able to attach the newly created ACL to a Group, Frontend and/or Backend.

Navigate accordingly to either:

Balancer > Group Management
Balancer > Frontend Management
Balancer > Backend Management

For your Group, Front- or Backend of interest, click on the Attach ALC button.

The ACL Action will vary depending on whether you’re managing a Group, Front- or Backend; in every case for ACL 1 you’ll be able to select the ACL you created in Step 1, and even mix it with other ACLs, should you need to create more complex chained routing rules.

You can repeat this operation to as many Groups, Frontends or Backends you need to route.

Updated on January 10, 2019


Was this article helpful?

Related Articles