Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active June 14, 2022 14:21
Show Gist options
  • Save haproxytechblog/2e6f8f507959e0348a562bfed8dfb511 to your computer and use it in GitHub Desktop.
Save haproxytechblog/2e6f8f507959e0348a562bfed8dfb511 to your computer and use it in GitHub Desktop.
Introduction to HAProxy ACLs
acl is_static path -i -m beg /static/
acl is_static path -i -m beg /static/
use_backend be_static if is_static
use_backend be_static if { path -i -m beg /static/ }
http-request deny if { path -i -m beg /api/ } { src 10.0.0.0/16 }
http-request deny if { path -i -m beg /api/ } !{ src 10.0.0.0/16 }
http-request deny if { path -i -m beg /api/ } { src -f /etc/hapee-1.8/blacklist.acl }
192.168.122.3
192.168.122.0/24
http-request deny if { path -i -m beg /evil/ } || { path -i -m end /evil }
acl starts_evil path -i -m beg /evil/
acl ends_evil path -i -m end /evil
http-request deny if starts_evil || ends_evil
acl evil path_beg /evil/
acl evil path_end /evil
http-request deny if evil
http-request deny if evil !{ src 10.0.0.0/16 }
path,regsub(^/static,/)
path -i -m beg -f /etc/hapee/paths_secret.acl
http-request redirect location http://www.%[hdr(host)]%[capture.req.uri] unless { hdr_beg(host) -i www }
redirect scheme https if !{ ssl_fc }
http-request redirect prefix /foo if !{ path_beg /foo/ }
redirect scheme code 301 https if !{ ssl_fc }
use_backend be_stats if { path_beg /stats }
use_backend be_%[path,map_beg(/etc/hapee-1.8/paths.map)]
use_backend be_%[path,map_beg(/etc/hapee-1.8/paths.map, mydefault)]
tcp-request inspect-delay 10s
use_backend be_ssl if { req.ssl_hello_type gt 0 }
http-request set-path /foo%[path] if !{ path_beg /foo }
http-request set-var(txn.session_id) cook(sessionid)
use_backend be_%[var(txn.session_id),map(/etc/hapee-1.8/sessionid.map)] if { var(txn.session_id),map(/etc/hapee-1.8/sessionid.map) -m found }
http-response set-map(/etc/hapee-1.8/sessionid.map) %[var(txn.session_id)] %[res.hdr(x-new-backend)] if { res.hdr(x-new-backend) -m found }
default_backend be_login
http-request set-var(txn.path) path
acl is_icons_path var(txn.path) -m beg /icons/
http-request cache-use icons if is_icons_path
http-response cache-store icons if is_icons_path
http-request deny if HTTP_1.0
http-request deny if { req.hdr(user-agent) -m sub evil }
http-request deny if { req.hdr(user-agent) -m len 32 }
http-request deny if { req.hdr(user-agent) -m len le 32 }
http-request deny if { path /api/wastetime }
http-request deny if { path -m sub /. }
dynamic-update
update id /etc/hapee-1.8/whitelist.acl url http://192.168.122.1/whitelist.acl delay 60s
echo "add acl /etc/hapee-1.8/whitelist.acl 1.2.3.4" | socat stdio /var/run/hapee-lb.sock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment