Hi Craig, On Sat, Jun 19, 2010 at 09:34:48PM +0200, Craig wrote: > Hi, > > it would be really nice, if there was a method to put cookies (and maybe > other dynamic data?) into a data structure (b-tree?) and to be able to > use acls based on that. > > Example: > > [magic to initialize data structures auth_users and unauth_users] > > acl is_authenticated hdr_sub(cookie) auth_users > acl is_unauthenticated hdr_sub(cookie) unauth_users > > block if is_unauthenticated > use_backend secret_servers if is_authenticated > default_backend auth_servers > > the auth_users and unauth_users data structure could be filled with data > via the unix socket we already have. AFAIR Willy wanted to build a > telnet interface, too; before that's finished one can simply program a > little server that writes to the socket. The backend servers send > authenticated cookies to the server, et voila. We would need add, delete > and - to see what's going on - show commands for that.
I wanted to be able to show/add/delete stick-table entries from the CLI, and do as well for the ACLs that are loaded in trees. It's not implemented because it's on my low-priority todo list. But this would be a typical usage. We just need to implement the "cookie(ck_name)" ACL match to be able to extract the cookie string to perform exact match and it will be easy to perform. > Uses: > - block evil users based on a cookie in the loadbalancer (I know, it's > not that useful) it's still useful for anti-ddos mechanisms. > - use haproxy as a front door sorter > > Any opinions on this? I'd really like to abuse haproxy with this! ;) > Or might this already be possible and I just overlooked how? It's in fact close to be possible. We need to extend the unix socket interface to support feeding values into the pattern trees, and to have a cookie() match to extract exact value. You may want to experiment by yourself :-) Cheers, Willy
