On Tue, May 8, 2012 at 1:24 AM, Willy Tarreau <[email protected]> wrote: > Hi Malcolm, > > On Mon, May 07, 2012 at 06:19:36PM -0700, Malcolm Handley wrote: >> I'd like to write an ACL that compares the integer value of a cookie >> with a constant. (My goal is to be able to block percentiles of our >> users if we have more traffic than we can handle, so I want to block a >> request if the cookie's value is, say, less then 25.) >> >> I understand that I can do something like >> hdr_sub(cookie) -i <regular expression> >> but that doesn't let me treat the value as an integer and compare it. >> >> I also know about >> hdr_val(<header>) >> but that gives me the entire value of the cookie header, not just the >> value of a particular cookie. >> >> Is there any way that I can do this? > > In the next snapshot I hope to be able to push today, there is a new > cookie pattern fetch method which brings a number of "cook_*" ACL keywords. > It does not have cook_val at the moment, but I can check if that's hard > to add or not.
Cook_val sounds great if you happen to add that. How long do snapshots take to become the stable version, generally? We've had some outages (nothing to do with haproxy, which works great) and definitely don't want to put bleeding-edge code into production at the moment. > In the mean time, I think that if you manage to rewrite your cookie header > to replace it with a header holding only the value, it might work, though > it's dirty and quite tricky. This is a great suggestion. Can you confirm that header rewriting happens before other calls to hdr_val? (Do the commands happen in order?) (One thing that's great about this is it would also let me avoid creating a new header. My goal is to write an ACL of the form [block if cook_value(user_id) % 1000 < 250] but ACLs don't support much math. But your suggestion would get around this.) > Instead, with regex you can actually match integer expressions, it's just > a bit complicated but doable. For instance, a value below 25 might be > defined like this (not tested right now but you get the idea) : > > COOK=([0-9]|1[0-9]|2[0-4])([^0-9]|$) > > I've been doing this for a long time to extract requests by response times > in logs until I got fed up and wrote halog. Yeah. I thought of this too. I know that I could do it but we are creating a tool to use in emergencies and I think that I'd be frightened of messing it up in some small but important way. :-) Thanks for the help.
