Re: Logging ACL activity

[Julien Vehent]

On 2014-03-12 15:02, Julien Vehent wrote:
Hi everyone,
Is there a way to log the activity of an ACL?
I tried to use a header insertion using reqadd, and then log that
header, but it doesn't work.

        # match content-length larger than 500kB
        acl request-too-big hdr_val(content-length) gt 500000
        reqadd X-Haproxy-ACL:\ request-too-big if METH_POST 
request-too-big

        capture request header X-Haproxy-ACL len 64

The goal is to test a bunch of ACLs before enabling them in production.

Any idea on how to do this?

I found a workaround, that's kind of a hack, but it works. When the 
custom header is set, I send the request to a backend that is, in fact, 
another haproxy frontend. The header is logged then, and passed to its 
final backend. I guess I could call that "double backending" :)

    # ~~~ Requests validation using ACLs ~~~
    # use a custom HTTP header to store the result of HAProxy's ACLs. 
The
    # default value is set to `pass`, and modified by ACLs below
    http-request set-header X-Haproxy-ACL pass

    # block content-length larger than 5kB
    acl request-too-big hdr_val(content-length) gt 5000
    http-request set-header X-Haproxy-ACL request-too-big if METH_POST 
request-too-big

    # if previous ACL didn't pass, sent to logger backend
    acl pass-acl-validation req.hdr(X-Haproxy-ACL) -m str pass
    use_backend acl-logger if !pass-acl-validation


    frontend acl-logger
                bind localhost:55555
                capture request header X-Haproxy-ACL len 64
                capture request header X-Unique-ID len 64
                default_backend fxa-nodejs

    backend acl-logger
                server localhost localhost:55555

Downside is, in the logs, I know have two log entries for each request 
that doesn't pass the ACLs. I can use the Unique ID value to 
cross-reference them. In the sample below, the first logged request 
indicates "request-too-big" in the captured headers.

   Mar 12 21:32:35 localhost haproxy[23755]: [23755] [1394659955.945] 
2/1/0/0/1/0/0 0/0/0/4/5 ---- 127.0.0.1:48120 127.0.0.1:55555 
127.0.0.1:8000 acl-logger - - "GET /v1/somethingsomething HTTP/1.1" 404 
fxa-nodejs:nodejs1 "-" 
"{request-too-big|47B4176E:8E5E_0A977AE4:01BB_5320D273_03FF:5CCB}" "-" 
"" "826 bytes"

   Mar 12 21:32:35 localhost haproxy[23755]: [23755] [1394659955.850] 
2/1/0/0/1/0/0 94/0/0/5/99 ---- 1.10.2.10:36446 10.151.122.228:443 
127.0.0.1:55555 fxa-https~ ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 "GET 
/v1/somethingsomething HTTP/1.1" 404 acl-logger:localhost "-" 
"{||Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/}" 
"-" "" "802 bytes" 47B4176E:8E5E_0A977AE4:01BB_5320D273_03FF:5CCB

- Julien