Skip to content

Instantly share code, notes, and snippets.

Last active June 14, 2022 14:21
  • Star 9 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Introduction to HAProxy ACLs
acl is_static path -i -m beg /static/
acl is_static path -i -m beg /static/
use_backend be_static if is_static
use_backend be_static if { path -i -m beg /static/ }
http-request deny if { path -i -m beg /api/ } { src }
http-request deny if { path -i -m beg /api/ } !{ src }
http-request deny if { path -i -m beg /api/ } { src -f /etc/hapee-1.8/blacklist.acl }
http-request deny if { path -i -m beg /evil/ } || { path -i -m end /evil }
acl starts_evil path -i -m beg /evil/
acl ends_evil path -i -m end /evil
http-request deny if starts_evil || ends_evil
acl evil path_beg /evil/
acl evil path_end /evil
http-request deny if evil
http-request deny if evil !{ src }
path -i -m beg -f /etc/hapee/paths_secret.acl
http-request redirect location http://www.%[hdr(host)]%[capture.req.uri] unless { hdr_beg(host) -i www }
redirect scheme https if !{ ssl_fc }
http-request redirect prefix /foo if !{ path_beg /foo/ }
redirect scheme code 301 https if !{ ssl_fc }
use_backend be_stats if { path_beg /stats }
use_backend be_%[path,map_beg(/etc/hapee-1.8/]
use_backend be_%[path,map_beg(/etc/hapee-1.8/, mydefault)]
tcp-request inspect-delay 10s
use_backend be_ssl if { req.ssl_hello_type gt 0 }
http-request set-path /foo%[path] if !{ path_beg /foo }
http-request set-var(txn.session_id) cook(sessionid)
use_backend be_%[var(txn.session_id),map(/etc/hapee-1.8/] if { var(txn.session_id),map(/etc/hapee-1.8/ -m found }
http-response set-map(/etc/hapee-1.8/ %[var(txn.session_id)] %[res.hdr(x-new-backend)] if { res.hdr(x-new-backend) -m found }
default_backend be_login
http-request set-var(txn.path) path
acl is_icons_path var(txn.path) -m beg /icons/
http-request cache-use icons if is_icons_path
http-response cache-store icons if is_icons_path
http-request deny if HTTP_1.0
http-request deny if { req.hdr(user-agent) -m sub evil }
http-request deny if { req.hdr(user-agent) -m len 32 }
http-request deny if { req.hdr(user-agent) -m len le 32 }
http-request deny if { path /api/wastetime }
http-request deny if { path -m sub /. }
update id /etc/hapee-1.8/whitelist.acl url delay 60s
echo "add acl /etc/hapee-1.8/whitelist.acl" | socat stdio /var/run/hapee-lb.sock
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment