Hi Baptiste
Thank you for pointing that out.. :)
After your example I could see what had eluded me in the documentation.
>From section "7.7. Using ACLs to form conditions":
acl url_static path_beg /static /images /img /css
acl url_static path_end .gif .png .jpg .css .js
acl host_www hdr_beg(host) -i www
acl host_static hdr_beg(host) -i img. video. download. ftp.
...
use_backend static if host_static or host_www url_static
^^^^^^^^^^^^^^^^^^^
Perhaps this line (also from section 7.7.)
[!]acl1 [!]acl2 ... [!]acln { or [!]acl1 [!]acl2 ... [!]acln } ...
should have a few more examples showing "and", "or" and "negation" in use than
just the one.
Regards,
Jens Dueholm Christensen
-----Original Message-----
From: Baptiste [mailto:[email protected]]
Sent: Thursday, March 22, 2012 6:02 AM
To: Jens Dueholm Christensen (JEDC)
Cc: [email protected]
Subject: Re: Help with ACL
Hi Jens,
No need to apologies, you may have helped a few other people ;)
You can also do this:
acl acl_myip src 1.1.1.1
acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst
acl acl_collector hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst
use_backend new_collectors if acl_myip acl_collector
==> AND is implicit.
regards
On Wed, Mar 21, 2012 at 11:46 PM, Jens Dueholm Christensen (JEDC)
<[email protected]> wrote:
> Oh..
>
> It just hit me..
>
> I could just do this:
>
> acl acl_test src 1.1.1.1
> acl acl_test path_beg -f /etc/haproxy/collector_patterns.lst
> acl acl_test hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst
>
> use_backend new_collectors if acl_test
>
> Sorry for bothering the mailinglist about this - somehow I was focused on
> reusing my existing acl_collector and never thought about building a new ACL
> with the correct rules.. :)
>
> Regards,
> Jens Dueholm Christensen
> ________________________________________
> From: Jens Dueholm Christensen (JEDC) [[email protected]]
> Sent: 21 March 2012 23:32
> To: [email protected]
> Subject: RE: Help with ACL
>
> Hi Baptiste
>
> I can see I forgot to add some more information to my previous mail..
>
> Existing functionality (ie. ACLs and sorting into backends) and traffic must
> not be changed.
> There is a lot of traffic to other parts of the system (ie. for the admin or
> webservice backend) that comes from the same IP that I'm going to be testing
> from.
>
> Is it possible to "bundle" ACL's so backend macthing depends on more than one
> ACL beeing matched??
>
> I'm looking for something like this (here the acl_collectors ACL is the same
> as in my config):
>
> acl acl_myip src 1.1.1.1
> acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst
> acl acl_collector hdr_sub(Referer) -f /etc/haproxy/collector_patterns.lst
>
> use_backend new_collectors if (acl_myip && acl_collector)
>
> Then only the same traffic that would normally be matched in acl_collector
> whould be sent to the new_collectors backend if the traffic was comming from
> 1.1.1.1.
>
> Regards,
> Jens Dueholm Christensen
> ________________________________________
> From: Baptiste [[email protected]]
> Sent: 21 March 2012 22:02
> To: Jens Dueholm Christensen (JEDC)
> Cc: [email protected]
> Subject: Re: Help with ACL
>
> Hi Jens,
>
> You can setup 2 ACLs, one with IPs one with your header and use them
> on the use_backend line:
> acl myip src 1.1.1.1 1.1.1.2
> acl myheader hdr(MyHeader) keyword
> use_backend acl_collector myip || myheader
>
> Note that the use_backend order matters.
> The first matching will be used. So it's up to you to set them in the
> best order for your nees.
>
> Regards
>
>
>
> On Wed, Mar 21, 2012 at 9:52 PM, Jens Dueholm Christensen (JEDC)
> <[email protected]> wrote:
>> Hi
>>
>> I'm having trouble wrapping my head around what I belive is a really simple
>> problem.
>>
>> I've got a working HAProxy setup with a few listeners and a few backends and
>> some ACL's that direct traffic accordingly.
>>
>> Now I'm about to add a new backend for some function-testing in this setup,
>> and I want to restrict what ends up there.
>>
>> This is thinned down version of my configuration (oh, global or
>> default-level ACL's be nice..):
>>
>> ---
>> global
>> ...
>>
>> defaults default
>> mode http
>> balance roundrobin
>>
>> listen in-DK
>> bind 127.0.0.1:4431
>>
>> acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst
>> acl acl_collector hdr_sub(Referer) -f
>> /etc/haproxy/collector_patterns.lst
>>
>> acl acl_webservice path_beg /services
>>
>> use_backend collectors if acl_collector
>> use_backend webservice if acl_webservice
>>
>> default_backend admin
>>
>> listen in-NO
>> bind 127.0.0.1:4432
>>
>> acl acl_collector path_beg -f /etc/haproxy/collector_patterns.lst
>> acl acl_collector hdr_sub(Referer) -f
>> /etc/haproxy/collector_patterns.lst
>>
>> acl acl_webservice path_beg /services
>>
>> use_backend collectors if acl_collector
>> use_backend webservice if acl_webservice
>>
>> default_backend admin
>>
>> backend admin
>> server admin1 172.27.80.36:8080 id 1 maxconn 500 check observe layer7
>>
>> backend webservice
>> server webservice1 172.27.80.37:8080 id 2 maxconn 500 check observe
>> layer7
>>
>> backend collectors
>> server collector1 172.27.80.38:8080 id 3 maxconn 1000 check observe
>> layer7
>> server collector1 172.27.80.39:8080 id 4 maxconn 1000 check observe
>> layer7
>> ---
>>
>> The file /etc/haproxy/collector_patterns.lst contains these 3 lines:
>> ---
>> /collect
>> /answer
>> /LinkCollector
>> ---
>>
>> This new backend I want for testing (let's call it new_collectors) should
>> recieve the traffic the existing ACL acl_collector directs to the backend
>> collectors, but ONLY if that traffic comes from a certain IP or contains a
>> certain HTTP header.
>>
>> How do I manage that?
>>
>> Regards,
>> Jens Dueholm Christensen
>>
>>
>
>
