Hi all (first message on list :) ),
In the process of migrating from httpd to haproxy for a reverse proxy
purpose, I'm facing a dilemma about how to set a response header according
to request URI.
I explain :
There are four file types that I want to handle :
statics : *.js *.css *.png *.txt ...
static_ : *.cache.*
nocache : *.nocache.*
others...
So I've set up some ACLs like this :
acl p-url_statics path_end -i .html .htm .phpt
acl p-url_statics path_end -i .jpg .jpeg .gif .png .bmp .tif .tiff .eps
.ai .nef .ico .swf
acl p-url_statics path_end -i .css .js
acl p-url_statics path_end -i .txt .sql .csv .log
...
acl p-url_static_ path_sub -i _static_ .cache.
acl p-url_private path_sub -i _private_
acl p-nocache path_sub -i .nocache.
I know I can't directly rspadd based on those ACLs, so I use a stick-table
with tcp-request inspection :
tcp-request content track-sc0 always_true if p-url_statics !p-nocache
!p-url_static_
tcp-request content track-sc1 always_true if p-url_static_ !p-nocache
tcp-request content track-sc2 always_true if p-nocache
This way I can :
http-response set-header Cache-Control no-store,no-cache
http-response set-header Cache-Control
no-cache="Set-Cookie,Set-Cookie2",max-age=604800 if { sc0_tracked }
http-response set-header Cache-Control
no-cache="Set-Cookie,Set-Cookie2",max-age=31536000 if { sc1_tracked }
http-response set-header Cache-Control
no-store,no-cache,max-age=0,must-revalidate if { sc2_tracked }
The problem here is I need to use the option httpclose/forceclose to break
"Connection: keepalive" establishment provided by client browsers, so it's
potentially slowing down L4 exchanges, needing new handshakes... and forbid
tcp reuse from the L4 load balancer.
The other problem is that I don't have any other sticky counter available
to match request ACLs with response header manipulation like :
acl h-origin-X-Y hdr(Origin) -i @url@
rspadd Access-Control-Allow-Origin: @url@ if h-origin-X-Y h-host-X
The other way I'm considering, is to multiple backends for each of my
vhosts... which seem not the best option since I have multiple of them...
but it's possible to decline like this :
bk_@backendID@
...
bk_@backendID@_statics
...
bk_@backendID@_static_
...
bk_@backendID@_nocache
...
with the same configuration (options, health-check, servers, cookie
management,...) but specific "rspadd Cache-Control"...
Backends with static handling could be free of cookie/stick-table handling
anyway.
I fear it will create a useless health checks noise... since it will be
driven by backend...
Many backends for just adding a header seem overkill to me because I have
already 6000 backends for 20 frontends and an haproxy.conf sizing 5MB which
takes few seconds to be loaded.
Does someone have a best pratice to deal with this dilemma ? Is there any
other way to go that I missed ?
Thx !
Regards,
--
Steven Le Roux
Jabber-ID : [email protected]
0x39494CCB <[email protected]>
2FF7 226B 552E 4709 03F0 6281 72D7 A010 3949 4CCB
