Hi Guillaume,
On Fri, Mar 01, 2019 at 12:33:57PM +0100, [email protected] wrote:
> > On 9 Jan 2019, at 11:06, [email protected] wrote:
> >
> > Hello,
> >
> > I try to understand how to use the -M ACL flag.
> >
> > From the documentation :
> >
> > The "-M" flag allows an ACL to use a map file. If this flag is set, the
> > file is
> > parsed as two column file. The first column contains the patterns used by
> > the
> > ACL, and the second column contain the samples. The sample can be used
> > later by
> > a map. This can be useful in some rare cases where an ACL would just be
> > used to
> > check for the existence of a pattern in a map before a mapping is applied.
> >
> > How can we use "samples" in a map ?
I'm not sure I understand your question, it seems to relate to several
things. So I'll try to sum up here :
- maps contain a pattern (matched against the input sample) and an output
sample, which itself is passed to the next level of the expression.
What it does is "map(pattern)=sample".
- acls only contain patterns to match against a sample.
So if you have in a file :
www.haproxy.org 51.15.8.218
www.1wt.eu 62.212.114.60
www.example.org 93.184.216.34
Then this statement :
http-request set-header host-ip %[req.hdr(host),map(host-to-ip.map)]
will match the host header field against the first column (pattern),
will replace it with the right column (sample), which will be used
as the result of the expression.
> > What I'm looking for is a way find all IPs allowed for a hostname and then
> > filter by these IPs from a map file, ie be able to do something like:
> > use_backend
> > %[req.fhdr(host),lower,map(/etc/haproxy/domains.map,default_backend)] if {
> > src -m ip %[req.fhdr(host),lower,map(/etc/haproxy/iprules.map)] }
> > with /etc/haproxy/iprules.map containing :
> > hostname1 ip1
> > hostname1 ip2
> > hostname2 ip1
> > hostname2 ip3
> > hostname2 ip4
> > ..
> >
> > Did I miss something obvious ?
I don't see how you can do that because all you'll get will be a new
sample that you can't compare to another sample ("src"). One trick
which should work instead is to have an ACL whose pattern is the
concatenation of the host and the IP address, more or less something
like this :
http-request set-var(req.ip) src
http-request reject unless { req.hdr(host),lower,concat(@,ip) -f
host-ip.acl -m found }
And then you'll have this "host-ip.acl" file made of lines containaing
series of hostname@ip like this :
[email protected]
[email protected]
[email protected]
However if you have source networks, at the moment I'm not seeing an
easy way to allow/deny them with this method.
Hoping this helps,
Willy
