Hi Jens, No need to apologies, you may have helped a few other people ;)
You can also do this: acl acl_myip src 1.1.1.1 acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst acl acl_collector hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst use_backend new_collectors if acl_myip acl_collector ==> AND is implicit. regards On Wed, Mar 21, 2012 at 11:46 PM, Jens Dueholm Christensen (JEDC) <[email protected]> wrote: > Oh.. > > It just hit me.. > > I could just do this: > > acl acl_test src 1.1.1.1 > acl acl_test path_beg -f /etc/haproxy/collector_patterns.lst > acl acl_test hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst > > use_backend new_collectors if acl_test > > Sorry for bothering the mailinglist about this - somehow I was focused on > reusing my existing acl_collector and never thought about building a new ACL > with the correct rules.. :) > > Regards, > Jens Dueholm Christensen > ________________________________________ > From: Jens Dueholm Christensen (JEDC) [[email protected]] > Sent: 21 March 2012 23:32 > To: [email protected] > Subject: RE: Help with ACL > > Hi Baptiste > > I can see I forgot to add some more information to my previous mail.. > > Existing functionality (ie. ACLs and sorting into backends) and traffic must > not be changed. > There is a lot of traffic to other parts of the system (ie. for the admin or > webservice backend) that comes from the same IP that I'm going to be testing > from. > > Is it possible to "bundle" ACL's so backend macthing depends on more than one > ACL beeing matched?? > > I'm looking for something like this (here the acl_collectors ACL is the same > as in my config): > > acl acl_myip src 1.1.1.1 > acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst > acl acl_collector hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst > > use_backend new_collectors if (acl_myip && acl_collector) > > Then only the same traffic that would normally be matched in acl_collector > whould be sent to the new_collectors backend if the traffic was comming from > 1.1.1.1. > > Regards, > Jens Dueholm Christensen > ________________________________________ > From: Baptiste [[email protected]] > Sent: 21 March 2012 22:02 > To: Jens Dueholm Christensen (JEDC) > Cc: [email protected] > Subject: Re: Help with ACL > > Hi Jens, > > You can setup 2 ACLs, one with IPs one with your header and use them > on the use_backend line: > acl myip src 1.1.1.1 1.1.1.2 > acl myheader hdr(MyHeader) keyword > use_backend acl_collector myip || myheader > > Note that the use_backend order matters. > The first matching will be used. So it's up to you to set them in the > best order for your nees. > > Regards > > > > On Wed, Mar 21, 2012 at 9:52 PM, Jens Dueholm Christensen (JEDC) > <[email protected]> wrote: >> Hi >> >> I'm having trouble wrapping my head around what I belive is a really simple >> problem. >> >> I've got a working HAProxy setup with a few listeners and a few backends and >> some ACL's that direct traffic accordingly. >> >> Now I'm about to add a new backend for some function-testing in this setup, >> and I want to restrict what ends up there. >> >> This is thinned down version of my configuration (oh, global or >> default-level ACL's be nice..): >> >> --- >> global >> ... >> >> defaults default >> mode http >> balance roundrobin >> >> listen in-DK >> bind 127.0.0.1:4431 >> >> acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst >> acl acl_collector hdr_sub(Referer) -f >> /etc/haproxy/collector_patterns.lst >> >> acl acl_webservice path_beg /services >> >> use_backend collectors if acl_collector >> use_backend webservice if acl_webservice >> >> default_backend admin >> >> listen in-NO >> bind 127.0.0.1:4432 >> >> acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst >> acl acl_collector hdr_sub(Referer) -f >> /etc/haproxy/collector_patterns.lst >> >> acl acl_webservice path_beg /services >> >> use_backend collectors if acl_collector >> use_backend webservice if acl_webservice >> >> default_backend admin >> >> backend admin >> server admin1 172.27.80.36:8080 id 1 maxconn 500 check observe layer7 >> >> backend webservice >> server webservice1 172.27.80.37:8080 id 2 maxconn 500 check observe >> layer7 >> >> backend collectors >> server collector1 172.27.80.38:8080 id 3 maxconn 1000 check observe >> layer7 >> server collector1 172.27.80.39:8080 id 4 maxconn 1000 check observe >> layer7 >> --- >> >> The file /etc/haproxy/collector_patterns.lst contains these 3 lines: >> --- >> /collect >> /answer >> /LinkCollector >> --- >> >> This new backend I want for testing (let's call it new_collectors) should >> recieve the traffic the existing ACL acl_collector directs to the backend >> collectors, but ONLY if that traffic comes from a certain IP or contains a >> certain HTTP header. >> >> How do I manage that? >> >> Regards, >> Jens Dueholm Christensen >> >> > >
