Hi all, I'm having a weird behavior with one of my acl and an associated condition. I'm starting to thing one of my 'if' condition is never parsed.
Part of my haproxy.cfg config: 8------------------------------------------------8 frontend proxy-front bind *:80 mode http acl h_xff_exists req.hdr(X-Forwarded-For) -m found http-request add-header X-Forwarded-For %[src] unless h_xff_exists http-request replace-header X-Forwarded-For (.*) \1,\ %[src] if h_xff_exists 8------------------------------------------------8 Expected result: 1) X-Forwarded-For doesn't exist, it is created with value "%[src]". 2) X-Forwarded-For exists, ", %[src]" is added at the end of it. 3) Both 1) & 2) conditions work no matter in which order add-header or replace-header are set. Actual result captured with ngrep from HAProxy to its backend: A) X-Forwarded-For doesn't exist, it is created with value "%[src], %[src]". (KO) B) X-Forwarded-For exists, ", %[src]" is added at the end of it. (OK) C) If I switch places 'http-request add-header' and 'http-request replace-header', it works as expected. I believe, the problem is that 'if h_xff_exists' of 'http-request replace-header' is not respected at all. It works fine if I edit to the following: 1) 8------------------------------------------------8 frontend proxy-front bind *:80 mode http http-request replace-header X-Forwarded-For (.*) \1,\ %[src] acl h_xff_exists req.hdr(X-Forwarded-For) -m found http-request add-header X-Forwarded-For %[src] unless h_xff_exists 8------------------------------------------------8 Or even: 2) 8------------------------------------------------8 frontend proxy-front bind *:80 mode http acl h_xff_exists req.hdr(X-Forwarded-For) -m found http-request replace-header X-Forwarded-For (.*) \1,\ %[src] http-request add-header X-Forwarded-For %[src] unless h_xff_exists 8------------------------------------------------8 I must define the 'http-request replace-header' directive before the 'add-header' one if I want it to work as expected. I guess order shouldn't matter with conditions over h_xff_exists acl, but I might be wrong. Details: 8------------------------------------------------8 OS=Ubuntu 16.04 Server Package from=http://ppa.launchpad.net/vbernat/haproxy-1.7/ubuntu/ Version=`haproxy -vv` HA-Proxy version 1.7.9-1ppa1~xenial 2017/08/19 Copyright 2000-2017 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_NS=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.38 2015-11-23 Running on PCRE version : 8.38 2015-11-23 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with Lua version : Lua 5.3.1 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with network namespace support Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoe 8------------------------------------------------8 Please let me know if you need further informations. Thank you for your help, Vincent
