On 2014-03-12 15:02, Julien Vehent wrote:
Hi everyone,
Is there a way to log the activity of an ACL?
I tried to use a header insertion using reqadd, and then log that
header, but it doesn't work.
# match content-length larger than 500kB
acl request-too-big hdr_val(content-length) gt 500000
reqadd X-Haproxy-ACL:\ request-too-big if METH_POST
request-too-big
capture request header X-Haproxy-ACL len 64
The goal is to test a bunch of ACLs before enabling them in production.
Any idea on how to do this?
I found a workaround, that's kind of a hack, but it works. When the
custom header is set, I send the request to a backend that is, in fact,
another haproxy frontend. The header is logged then, and passed to its
final backend. I guess I could call that "double backending" :)
# ~~~ Requests validation using ACLs ~~~
# use a custom HTTP header to store the result of HAProxy's ACLs.
The
# default value is set to `pass`, and modified by ACLs below
http-request set-header X-Haproxy-ACL pass
# block content-length larger than 5kB
acl request-too-big hdr_val(content-length) gt 5000
http-request set-header X-Haproxy-ACL request-too-big if METH_POST
request-too-big
# if previous ACL didn't pass, sent to logger backend
acl pass-acl-validation req.hdr(X-Haproxy-ACL) -m str pass
use_backend acl-logger if !pass-acl-validation
frontend acl-logger
bind localhost:55555
capture request header X-Haproxy-ACL len 64
capture request header X-Unique-ID len 64
default_backend fxa-nodejs
backend acl-logger
server localhost localhost:55555
Downside is, in the logs, I know have two log entries for each request
that doesn't pass the ACLs. I can use the Unique ID value to
cross-reference them. In the sample below, the first logged request
indicates "request-too-big" in the captured headers.
Mar 12 21:32:35 localhost haproxy[23755]: [23755] [1394659955.945]
2/1/0/0/1/0/0 0/0/0/4/5 ---- 127.0.0.1:48120 127.0.0.1:55555
127.0.0.1:8000 acl-logger - - "GET /v1/somethingsomething HTTP/1.1" 404
fxa-nodejs:nodejs1 "-"
"{request-too-big|47B4176E:8E5E_0A977AE4:01BB_5320D273_03FF:5CCB}" "-"
"" "826 bytes"
Mar 12 21:32:35 localhost haproxy[23755]: [23755] [1394659955.850]
2/1/0/0/1/0/0 94/0/0/5/99 ---- 1.10.2.10:36446 10.151.122.228:443
127.0.0.1:55555 fxa-https~ ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 "GET
/v1/somethingsomething HTTP/1.1" 404 acl-logger:localhost "-"
"{||Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/}"
"-" "" "802 bytes" 47B4176E:8E5E_0A977AE4:01BB_5320D273_03FF:5CCB
- Julien