Discussion:
Combine different ACLs under same name
Ricardo Fraile
2018-10-05 08:46:20 UTC
Permalink
Hello,


I have tested that some types of acls can't be combined, as example:

Server 192.138.1.1, acl with combined rules:

acl rule1 hdr_dom(host) -i test.com
acl rule1 src 192.168.1.2/24
redirect prefix https://yes.com code 301 if rule1
redirect prefix https://no.com

Request from 192.168.1.2:

$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://yes.com/

Request from 192.168.1.3:

$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://yes.com/



Server 192.138.1.1, acl with two rules:

acl rule1 hdr_dom(host) -i test.com
acl rule2 src 192.168.1.2/24
redirect prefix https://yes.com code 301 if rule1 rule2
redirect prefix https://no.com

Request from 192.168.1.2:

$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://yes.com/

Request from 192.168.1.3:

$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://no.com/

I look for this behaviour on the documentation but I don't find any
reference to it. Please, can someone know where it is documented?


Thanks,
Ricardo Fraile
2018-10-05 10:02:49 UTC
Permalink
Post by Ricardo Fraile
Hello,
Post by Ricardo Fraile
Hello,
acl rule1 hdr_dom(host) -i test.com
acl rule1 src 192.168.1.2/24
redirect prefix https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=8RT5c2eXB%2FFk6TDNe6TqXyDmy8YRgVpSz2WbjXggFCg%3D&reserved=0 code 301 if rule1
redirect prefix https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fno.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=Rt4XuK0X7D81dEQ9aNyviySqJInlLQg1U%2BdGX%2BBCtcM%3D&reserved=0
$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=xLRo6a963KFqYn7BSmtUSb96EI7rLLuyVSwyfcdfP%2Bo%3D&reserved=0
$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=xLRo6a963KFqYn7BSmtUSb96EI7rLLuyVSwyfcdfP%2Bo%3D&reserved=0
acl rule1 hdr_dom(host) -i test.com
acl rule2 src 192.168.1.2/24
redirect prefix https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=8RT5c2eXB%2FFk6TDNe6TqXyDmy8YRgVpSz2WbjXggFCg%3D&reserved=0 code 301 if rule1 rule2
redirect prefix https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fno.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=Rt4XuK0X7D81dEQ9aNyviySqJInlLQg1U%2BdGX%2BBCtcM%3D&reserved=0
$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=xLRo6a963KFqYn7BSmtUSb96EI7rLLuyVSwyfcdfP%2Bo%3D&reserved=0
$ curl -I -H "host: test.com" 192.138.1.1
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fno.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=8oG7jYs129GAJb9uqBZOp0c09KqCG6gLsR%2FctUsFsfM%3D&reserved=0
I look for this behaviour on the documentation but I don't find any
reference to it. Please, can someone know where it is documented?
This is expected behavior.
acl foo src 1.2.3.4
acl foo hdr(host) foo.bar
{ src 1.2.3.4 } || { hdr(host) foo.bar }
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.8%2Fconfiguration.html%237.2&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=q%2BDgDSduhH6PoH43SEG0VA4Ywesrs%2FP4EtYVpBMc4m4%3D&reserved=0
your splitting of the acl in two acls leads to implying an && between the two
acls, and the behavior is different.
regards,
Jérôme
It is definitely clever, indeed.

If it is possible, as suggestion, I think that it need to be more clear
on the documentation.


Thanks,

Continue reading on narkive:
Loading...