Hi Aleksandar
Thanks that help, but still gives me problems
This can be parsed
acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail
but this will not
acl XMail_EAS XMail && url_beg -i /microsoft-server-activesync
error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'XMail' in
ACL expression 'XMail'.
But when the parser accepts acl XMail_EAS , but not acl XMail_EAS_NoAccess, and
I have tried with or without surrounding { }
acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail
acl XMail_EAS_NoAccess { url_beg -i /microsoft-server-activesync } && {
status 401 || status 403 }
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if
XMail_EAS_NoAccess
http-request tarpit deny_status 429 if XMail_EAS && {
sc_http_req_rate(1) gt 10 }
[ALERT] (436347) : config : parsing [/home/odin/haproxy01.cfg:108] : error
detected while parsing ACL 'XMail_EAS_NoAccess' : missing fetch method in ACL
expression '{'.
[ALERT] (436347) : config : parsing [/home/odin/haproxy01.cfg:110] : error
detected while parsing an 'http-request track-sc1' condition : no such ACL :
'XMail_EAS_NoAccess'.
Also is there a way to create constants so instead of writing 10 in many lines
I could use a constant which have the value 10.
I hope you can help me understand what I do wrong here.
To your question to the version I use:
Haproxy -vv
HAProxy version 2.5.0-1ppa1~focal 2021/11/26 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2023.
Known bugs: http://www.haproxy.org/bugs/bugs-2.5.0.html
Running on: Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021
x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-IUgeIz/haproxy-2.5.0=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv
-Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers
-Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2
-Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1
USE_SYSTEMD=1 USE_PROMEX=1
DEBUG =
Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT
+POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY
+LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM
-ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL
+SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC
+PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Support for malloc_trim() is enabled.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2
flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI
flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : prometheus-exporter
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
Regards
Henning
-----Oprindelig meddelelse-----
Fra: Aleksandar Lazic <[email protected]>
Sendt: 2. januar 2022 00:49
Til: Henning Svane <[email protected]>; [email protected]
Emne: Re: Troubles with AND in acl
Hi.
On 01.01.22 20:56, Henning Svane wrote:
> Hi
>
> I have used it for some time in PFsense, but know made a Linux
> installation and now the configuration give me some troubles.
>
> What have I done wrong here below?
>
> As I cannot see what I should have done different, but sudo haproxy -c
> -f /etc/haproxy/haproxy01.cfg gives the following errors
>
> error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'if' in
> ACL expression 'if'.
>
> error detected while parsing an 'http-request track-sc1' condition : unknown
> fetch method 'XMail_EAS'
> in ACL expression 'XMail_EAS'.
>
> I have tried with { } around but that did not help
"if" is not a valid keyword for "acl" line.
http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7
> Configuration:
>
> bind 10.40.61.10:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem alpn
> h2,http/1.1
>
> acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com
>
> http-request redirect scheme https code 301 if !{ ssl_fc }
>
> acl XMail_EAS if XMail AND {url_beg -i /microsoft-server-activesync}
This works.
acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com
acl MS_ACT url_beg -i /microsoft-server-activesync
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if XMail MS_ACT
The AND is implicit.
http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7.2
> http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if { XMail_EAS
> } { status 401 } { status 403 }
>
> http-request tarpit deny_status 429 if { XMail_EAS} {
> sc_http_req_rate(1) gt 10 }
Please can you share some more information's.
haproxy -vv
> Regards
>
> Henning
Regards
Alex
