Hello,
I fallen into a similar requirement to the commented in these mails a few years ago. As the right solution still is the use of any alternative workaround, I add my 2 cents to the already been said. For deny rules, the normal solution is: frontend xxxx .... acl rule_user-agent hdr_sub(User-Agent) -f user-agent.txt http-request deny if rule_user-agent But for view the rule application in the logs, it can be changed to this: frontend xxxx .... acl rule_user-agent hdr_sub(User-Agent) -f user-agent.txt use_backend acl-user_agent if rule_user-agent backend acl-user_agent http-request deny As the request is sent to a backend, the log line reflect that information. Regards, > Hi Julien > > With HAProxy 1.5, you can change the log severity using http-request > rules: > http-request set-log-level notice if request-too-big > > Then you can easily divert notice logs into a dedicated file in your > syslog server. > > My 2 cents. > > Baptiste > > > On Thu, Mar 13, 2014 at 4:23 AM, Julien Vehent <[email protected]> > wrote: > > On 2014-03-12 15:02, Julien Vehent wrote: > >> > >> Hi everyone, > >> > >> Is there a way to log the activity of an ACL? > >> I tried to use a header insertion using reqadd, and then log that > >> header, but it doesn't work. > >> > >> # match content-length larger than 500kB > >> acl request-too-big hdr_val(content-length) gt 500000 > >> reqadd X-Haproxy-ACL:\ request-too-big if METH_POST > >> request-too-big > >> > >> capture request header X-Haproxy-ACL len 64 > >> > >> The goal is to test a bunch of ACLs before enabling them in > production. > >> > >> Any idea on how to do this? > > > > > > I found a workaround, that's kind of a hack, but it works. When the > custom > > header is set, I send the request to a backend that is, in fact, > another > > haproxy frontend. The header is logged then, and passed to its final > > backend. I guess I could call that "double backending" :) > > > > # ~~~ Requests validation using ACLs ~~~ > > # use a custom HTTP header to store the result of HAProxy's ACLs. > The > > # default value is set to `pass`, and modified by ACLs below > > http-request set-header X-Haproxy-ACL pass > > > > # block content-length larger than 5kB > > acl request-too-big hdr_val(content-length) gt 5000 > > http-request set-header X-Haproxy-ACL request-too-big if METH_POST > > request-too-big > > > > # if previous ACL didn't pass, sent to logger backend > > acl pass-acl-validation req.hdr(X-Haproxy-ACL) -m str pass > > use_backend acl-logger if !pass-acl-validation > > > > > > frontend acl-logger > > bind localhost:55555 > > > > capture request header X-Haproxy-ACL len 64 > > capture request header X-Unique-ID len 64 > > default_backend fxa-nodejs > > > > backend acl-logger > > server localhost localhost:55555 > > > > Downside is, in the logs, I know have two log entries for each request > that > > doesn't pass the ACLs. I can use the Unique ID value to > cross-reference > > them. In the sample below, the first logged request indicates > > "request-too-big" in the captured headers. > > > > Mar 12 21:32:35 localhost haproxy[23755]: [23755] [1394659955.945] > > 2/1/0/0/1/0/0 0/0/0/4/5 ---- 127.0.0.1:48120 127.0.0.1:55555 > 127.0.0.1:8000 > > acl-logger - - "GET /v1/somethingsomething HTTP/1.1" 404 > fxa-nodejs:nodejs1 > > "-" "{request-too-big| 47B4176E:8E5E_0A977AE4:01BB_5320D273_03FF:5CCB}" > "-" > > "" "826 bytes" > > > > Mar 12 21:32:35 localhost haproxy[23755]: [23755] [1394659955.850] > > 2/1/0/0/1/0/0 94/0/0/5/99 ---- 1.10.2.10:36446 10.151.122.228:443 > > 127.0.0.1:55555 fxa-https~ ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 "GET > > /v1/somethingsomething HTTP/1.1" 404 acl-logger:localhost "-" > > "{||Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/}" > "-" > > "" "802 bytes" 47B4176E:8E5E_0A977AE4:01BB_5320D273_03FF:5CCB > > > > - Julien > > > >
