Hi Baptiste I can see I forgot to add some more information to my previous mail..
Existing functionality (ie. ACLs and sorting into backends) and traffic must not be changed. There is a lot of traffic to other parts of the system (ie. for the admin or webservice backend) that comes from the same IP that I'm going to be testing from. Is it possible to "bundle" ACL's so backend macthing depends on more than one ACL beeing matched?? I'm looking for something like this (here the acl_collectors ACL is the same as in my config): acl acl_myip src 1.1.1.1 acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst acl acl_collector hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst use_backend new_collectors if (acl_myip && acl_collector) Then only the same traffic that would normally be matched in acl_collector whould be sent to the new_collectors backend if the traffic was comming from 1.1.1.1. Regards, Jens Dueholm Christensen ________________________________________ From: Baptiste [[email protected]] Sent: 21 March 2012 22:02 To: Jens Dueholm Christensen (JEDC) Cc: [email protected] Subject: Re: Help with ACL Hi Jens, You can setup 2 ACLs, one with IPs one with your header and use them on the use_backend line: acl myip src 1.1.1.1 1.1.1.2 acl myheader hdr(MyHeader) keyword use_backend acl_collector myip || myheader Note that the use_backend order matters. The first matching will be used. So it's up to you to set them in the best order for your nees. Regards On Wed, Mar 21, 2012 at 9:52 PM, Jens Dueholm Christensen (JEDC) <[email protected]> wrote: > Hi > > I'm having trouble wrapping my head around what I belive is a really simple > problem. > > I've got a working HAProxy setup with a few listeners and a few backends and > some ACL's that direct traffic accordingly. > > Now I'm about to add a new backend for some function-testing in this setup, > and I want to restrict what ends up there. > > This is thinned down version of my configuration (oh, global or default-level > ACL's be nice..): > > --- > global > ... > > defaults default > mode http > balance roundrobin > > listen in-DK > bind 127.0.0.1:4431 > > acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst > acl acl_collector hdr_sub(Referer) -f > /etc/haproxy/collector_patterns.lst > > acl acl_webservice path_beg /services > > use_backend collectors if acl_collector > use_backend webservice if acl_webservice > > default_backend admin > > listen in-NO > bind 127.0.0.1:4432 > > acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst > acl acl_collector hdr_sub(Referer) -f > /etc/haproxy/collector_patterns.lst > > acl acl_webservice path_beg /services > > use_backend collectors if acl_collector > use_backend webservice if acl_webservice > > default_backend admin > > backend admin > server admin1 172.27.80.36:8080 id 1 maxconn 500 check observe layer7 > > backend webservice > server webservice1 172.27.80.37:8080 id 2 maxconn 500 check observe > layer7 > > backend collectors > server collector1 172.27.80.38:8080 id 3 maxconn 1000 check observe > layer7 > server collector1 172.27.80.39:8080 id 4 maxconn 1000 check observe > layer7 > --- > > The file /etc/haproxy/collector_patterns.lst contains these 3 lines: > --- > /collect > /answer > /LinkCollector > --- > > This new backend I want for testing (let's call it new_collectors) should > recieve the traffic the existing ACL acl_collector directs to the backend > collectors, but ONLY if that traffic comes from a certain IP or contains a > certain HTTP header. > > How do I manage that? > > Regards, > Jens Dueholm Christensen > >
