On Tue, Oct 28, 2014 at 2:23 PM, Julian Pawlowski <[email protected]> wrote: > On 28.10.2014, at 10:13, Julian Pawlowski <[email protected]> wrote: >> I was wondering if there is a way to have HAproxy check for an existing >> Cookie the client sends and have it verify with a specific backend (say >> backend1). Based on that backends HTTP error code (e.g. 200 or 403), HAproxy >> should allow forwarding to backend2. Of course this would need to be checked >> for every request but as this is not a high traffic site that wouldn't be an >> issue. > > Okay I guess I made some progress. Maybe that helps for somebody else to give > me a helping hand in completing this. > > My primary backend application now once sends a customized header like these > after the user was successfully authorized: > > X-APPNAME-AllowUser: APPSESSION=lkjhgsadkfjhsadjfhg > X-APPNAME-Validity: <UNIXTIMESTAMP-until-session-ends> > Location: /backend2 > > I think I can now add some ACLs in the HAproxy configuration of my primary > backend: > > acl allowAPPNAMEUser res.hdr(X-APPNAME-AllowUser) -m found > acl disallowAPPNAMEUser res.hdr(X-APPNAME-DisallowUser) -m found > http-response set-map(/var/lib/haproxy/appname_user_sessions.lst) > %[res.hdr(X-APPNAME-AllowUser)] %[res.hdr(X-APPNAME-Validity)] if > allowAPPNAMEUser > http-response del-map(/var/lib/haproxy/appname_user_sessions.lst) > %[res.hdr(X-APPNAME-DisallowUser)] if disallowAPPNAMEUser > > I tried these but don't know if they are actually working cause I wasn't able > to get anything about it from the logfiles. > Also the map files are not written, even though I created empty files and > ensured r/w access for the HAproxy daemon user. > > For /backend2, I think I might just need to add an ACL to my frontend similar > to this but I'm not sure: > use_backend bk_backend2 if { > hdr_sub(cookie),map_str(/var/lib/haproxy/appname_user_sessions.lst) -m found } > > About session expiration: I think I cannot have HAproxy make any cleanups on > it's own beside using the info should a user explicitly use the logout > function via the primary backend (X-APPNAME-DisallowUser ...). The plan is to > have a cronjob running cleaning the appname_user_sessions.lst based on the > second column I added from X-APPNAME-Validity header. > > However, I'm still stuck into this somehow. > Any help would be very much appreciated (it's for an OpenSource project if > that counts). > > > Many thanks in advance. > > Julian
Hi Julian, This is doable with HAProxy 1.6-dev. You have to store the answered cookie in a table when generated by the server and then match it into the same table when the client sends it. Baptiste
