El vie, 05-10-2018 a las 11:38 +0200, Jerome Magnin escribió: > Hello, > > On Fri, Oct 05, 2018 at 10:46:20AM +0200, Ricardo Fraile wrote: > > Hello, > > > > > > I have tested that some types of acls can't be combined, as example: > > > > Server 192.138.1.1, acl with combined rules: > > > > acl rule1 hdr_dom(host) -i test.com > > acl rule1 src 192.168.1.2/24 > > redirect prefix > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=8RT5c2eXB%2FFk6TDNe6TqXyDmy8YRgVpSz2WbjXggFCg%3D&reserved=0 > > code 301 if rule1 > > redirect prefix > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fno.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=Rt4XuK0X7D81dEQ9aNyviySqJInlLQg1U%2BdGX%2BBCtcM%3D&reserved=0 > > > > Request from 192.168.1.2: > > > > $ curl -I -H "host: test.com" 192.138.1.1 > > HTTP/1.1 301 Moved Permanently > > Content-length: 0 > > Location: > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=xLRo6a963KFqYn7BSmtUSb96EI7rLLuyVSwyfcdfP%2Bo%3D&reserved=0 > > > > Request from 192.168.1.3: > > > > $ curl -I -H "host: test.com" 192.138.1.1 > > HTTP/1.1 301 Moved Permanently > > Content-length: 0 > > Location: > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=xLRo6a963KFqYn7BSmtUSb96EI7rLLuyVSwyfcdfP%2Bo%3D&reserved=0 > > > > > > > > Server 192.138.1.1, acl with two rules: > > > > acl rule1 hdr_dom(host) -i test.com > > acl rule2 src 192.168.1.2/24 > > redirect prefix > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=8RT5c2eXB%2FFk6TDNe6TqXyDmy8YRgVpSz2WbjXggFCg%3D&reserved=0 > > code 301 if rule1 rule2 > > redirect prefix > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fno.com&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=Rt4XuK0X7D81dEQ9aNyviySqJInlLQg1U%2BdGX%2BBCtcM%3D&reserved=0 > > > > Request from 192.168.1.2: > > > > $ curl -I -H "host: test.com" 192.138.1.1 > > HTTP/1.1 301 Moved Permanently > > Content-length: 0 > > Location: > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fyes.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=xLRo6a963KFqYn7BSmtUSb96EI7rLLuyVSwyfcdfP%2Bo%3D&reserved=0 > > > > Request from 192.168.1.3: > > > > $ curl -I -H "host: test.com" 192.138.1.1 > > HTTP/1.1 301 Moved Permanently > > Content-length: 0 > > Location: > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fno.com%2F&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=8oG7jYs129GAJb9uqBZOp0c09KqCG6gLsR%2FctUsFsfM%3D&reserved=0 > > > > I look for this behaviour on the documentation but I don't find any > > reference to it. Please, can someone know where it is documented? > > > > > > This is expected behavior. > > when you declare acls with the same name such as: > > acl foo src 1.2.3.4 > acl foo hdr(host) foo.bar > > > and use foo as a condition for anything, foo equivalent to : > > { src 1.2.3.4 } || { hdr(host) foo.bar } > > There is at least an example of this behavior in the documentation: > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcbonte.github.io%2Fhaproxy-dconv%2F1.8%2Fconfiguration.html%237.2&data=02%7C01%7C%7C0a6e0b206dd5474eaeee08d62aa6535d%7Cd78b7929c2a34897ae9a7d8f8dc1a1cf%7C0%7C0%7C636743291183969700&sdata=q%2BDgDSduhH6PoH43SEG0VA4Ywesrs%2FP4EtYVpBMc4m4%3D&reserved=0 > > your splitting of the acl in two acls leads to implying an && between the two > acls, and the behavior is different. > > regards, > Jérôme
It is definitely clever, indeed. If it is possible, as suggestion, I think that it need to be more clear on the documentation. Thanks,
