On Tue, Apr 3, 2012 at 1:42 AM, Guillaume Demillecamps < guilla...@multipurpose.be> wrote:
> Hello all, > > > I am starting to hit some limitations in haproxy's configuration options ! > I have decided to use this product to sit in front of a cloud environment > hosting several websites as I have used it many times for several years and > have alays found it very, very efficient. > > At the moment I have over 20 hosted websites (much more might come in). So > basically, at least as much ACL's for this (and actually much, much more). > I do NOT want a default_backend. On the contrary, I need (security reasons) > to block access excepted if the user comes with the correct http header > (virtual hosting). I also have to grant access to the site forgive me if i've not comprehended your requirements correctly, but could you simplify your config by adding a default_backend that hosts all of the non-authorized requests? this way the default_backend is a trash bucket that hosts all the junk that your acl's haven't found a proper backend for based on host header or src ip. that backend could even be another haproxy frontend which simply blocks everything coming in. > to a restricted list of IP's (developer agencies) before an official > go-live is set up for specific sites, or for some admin areas of those > websites. > So, in other words, I have one HUGE line with is a : > block unless is_website_01 || is_website02 || is_website_02 || > is_allowed_agency_01 || is_allowed_agency_02 ... > Then follow the use_backend website_01 if is_website_01 (and potentially > also if_allowed_agency_01) > > And... I have faced a limit of over 2047 chracters in one line, now ! > > I tried to rewrite the ACL's list in this way : > acl is_website_01 www.website01.com (already existing) > acl is_website_02 www.website02.com (already existing) > acl is_all_allowed_websites is_website_01 > acl is_all_allowed_websites is_website_02 > acl is_allowed_agency_01 x.x.x.x (already existing) > acl is_allowed_agency_02 y.y.y.y (already existing) > acl is_all_allowed_agencies is_allowed_agency_01 > acl is_all_allowed_agencies is_allowed_agency_02 > block unless is_all_allowed_websites || is_all_allowed_agencies > > But apparently this approach is not possible in haproxy ? > > That leaves me with the only option of re-writing all ACL's twice, then... > acl is_website_01 www.website01.com (already existing) > acl is_website_02 www.website02.com (already existing) > acl is_all_allowed_websites www.website01.com > acl is_all_allowed_websites www.website02.com > acl is_allowed_agency_01 x.x.x.x (already existing) > acl is_allowed_agency_02 y.y.y.y (already existing) > acl is_all_allowed_agencies x.x.x.x > acl is_all_allowed_agencies y.y.y.y > block unless is_all_allowed_websites || is_all_allowed_agencies > > Is there no way to have the preferred option of re-using ACL's into > another ACL's possible ? > > Many thanks !! > > > Guillaume Demillecamps > >
