Hi Willy, 2015-02-25 17:32 GMT+01:00 Willy Tarreau <[email protected]>: > Hi Joris, > > On Wed, Feb 25, 2015 at 02:24:45PM +0100, joris dedieu wrote: >> Hi, >> I have a list of valid cookies associated with client IP, that I try >> to make match in an acl. >> The map format is : >> >> cookie-value\tip-address\n >> >> This acl should do : >> if (client has cookie plop and plop value lookup in plop.map returns >> src); then >> the acl is valid >> endif >> >> I tried things like : >> >> acl valid_cookie src %[req.cook(plop),map_str_ip(plop.map)] >> or >> acl valid_cookie req.cook(plop),map_str_ip(plop.map) -m ip %[src] >> >> but it clearly don't works (error detected while parsing ACL >> 'valid_cookie' : '%[req.cook(plop),map_str_ip(plop.map)]' or %[src] is >> not a valid IPv4 or IPv6 address). >> >> I maybe misunderstand %[ substitution ? Does anyone here knows the >> right way to do that ? Maybe the -M switch ? > > The problem with "%[]" is that it became widespread enough to let people > believe it can be used everywhere. It's only valid in some arguments of > the http-request actions, and in log formats of course. It cannot be used > to describe ACL patterns since by definitions these patterns are constant.
Ok thanks for this clarification. > > In your case, if you need to check that the combination of (source,cookie) > matches one in your table, I think you could proceed like this : > > 1) build a composite header which contains "$cookie=$ip" : > > http-request add-header blah %[req.cook(plop)]=%[src] > > 2) match this header against your own list of "cookie=src" entries in an ACL : > > acl valid_cookie req.hdr(add-header) -f valid-cookies.lst > > 3) fill your "valid-cookies.lst" file with the valid combinations in the form > "cookie=ip". > > 4) optionally remove the header blah after you've used the valid_cookie ACL. > > Hoping this helps, Yes it helps a lot (even if I not really satisfy using this for client identification, but that's an other stuff :) Best Regards Joris > Willy >
