On 2014-06-28 08:40, Stefan Möhl wrote: > Hello list, > > We are running a three-node HA-proxy setup infront of our AWS cluster. > We are currently using it to black-list http headers with reg-exps, > however, we would also like to use it for white-listing http-headers. > That would require negated reg-exps. We have tried using negated Perl > reg-exps, but that doesn't seem to work. Has anyone had luck with > doing something like this?
Have you tried using `http-request deny unless <some acl>` ? I described something similar, albeit with URL and not headers, in https://jve.linuxwall.info/ressources/taf/haproxy-aws/#url-filtering-with-acls - Julien Thanks for the response, Julien, and sorry for the long hiatus - summer-vacation has taken its toll. I am afraid the 'unless' keyword doesn't really solve it for me (as far as I can tell). Let me re-phrase my question: I am looking to remove any header from a request/response unless it matches a white-list of permitted headers. That way, I can list the 10-20 common types of headers that my system actually uses, and be sure that any unexpected header is simply removed. The problem is that there are many headers in a request or response. An ACL will be true if it matches any header in the message, not just the header I am examining at the moment. Even if there are headers that are not whitelisted, the message only needs a single whitelisted header to activate the ACL, and then that ACL will permit all headers. That is why I was looking for a negated reg-exp: such a reg-exp would match everything that is _not_ whitelisted and let me discard the header using something like "reqidel <negated regexp>". Perhaps I am going about it the wrong way? /Kind regards, Stefan
