Oh, one more question: if I use reqrep to modify the cookies header that's going to destroy the original header, I suspect, which would cause problems for the web server that wants to read those cookies. Is there any way around that?
On Wed, May 9, 2012 at 3:51 PM, Malcolm Handley <[email protected]> wrote: > On Tue, May 8, 2012 at 1:24 AM, Willy Tarreau <[email protected]> wrote: >> Hi Malcolm, >> >> On Mon, May 07, 2012 at 06:19:36PM -0700, Malcolm Handley wrote: >>> I'd like to write an ACL that compares the integer value of a cookie >>> with a constant. (My goal is to be able to block percentiles of our >>> users if we have more traffic than we can handle, so I want to block a >>> request if the cookie's value is, say, less then 25.) >>> >>> I understand that I can do something like >>> hdr_sub(cookie) -i <regular expression> >>> but that doesn't let me treat the value as an integer and compare it. >>> >>> I also know about >>> hdr_val(<header>) >>> but that gives me the entire value of the cookie header, not just the >>> value of a particular cookie. >>> >>> Is there any way that I can do this? >> >> In the next snapshot I hope to be able to push today, there is a new >> cookie pattern fetch method which brings a number of "cook_*" ACL keywords. >> It does not have cook_val at the moment, but I can check if that's hard >> to add or not. > > Cook_val sounds great if you happen to add that. How long do snapshots > take to become the stable version, generally? We've had some outages > (nothing to do with haproxy, which works great) and definitely don't > want to put bleeding-edge code into production at the moment. > >> In the mean time, I think that if you manage to rewrite your cookie header >> to replace it with a header holding only the value, it might work, though >> it's dirty and quite tricky. > > This is a great suggestion. Can you confirm that header rewriting > happens before other calls to hdr_val? (Do the commands happen in > order?) (One thing that's great about this is it would also let me > avoid creating a new header. My goal is to write an ACL of the form > [block if cook_value(user_id) % 1000 < 250] but ACLs don't support > much math. But your suggestion would get around this.) > >> Instead, with regex you can actually match integer expressions, it's just >> a bit complicated but doable. For instance, a value below 25 might be >> defined like this (not tested right now but you get the idea) : >> >> COOK=([0-9]|1[0-9]|2[0-4])([^0-9]|$) >> >> I've been doing this for a long time to extract requests by response times >> in logs until I got fed up and wrote halog. > > Yeah. I thought of this too. I know that I could do it but we are > creating a tool to use in emergencies and I think that I'd be > frightened of messing it up in some small but important way. :-) > > Thanks for the help.
