On Wed, Dec 18, 2019 at 6:47 PM Илья Шипицин <chipits...@gmail.com> wrote: > you are talking about testing ACL. can you provide some example ?
So let's assume I have a given HAProxy configuration, full of ACL's and rules, that apply certain "firewalling", authentication / authorization, "mangling" operations to the HTTP request (e.g. drop "bad-bots", update headers, redirects, routing to various backends, etc.). Now how can I test that the HAProxy configuration actually "implements" what it's proposes to? I.e. how can I be sure that the rules are in the proper order, that no ACL's are missing, etc. My answer would be: fire an HTTP request and see if it "does" what it should. (Perhaps expose as HTTP headers some "state" values to help in checking things.) My concrete example would be this: I find HAProxy wonderful for any non trivial HTTP deployment (and in fact anything "touched" by the Internet); unfortunately the configuration language (with it's flat ACL's and request / response rules) is like "assembler" (as opposed to say Python). Therefore I've written myself a HAProxy "configurator" in Python that based on simple Python code generates the full HAProxy configuration. For example: https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/example-01.py https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/_configs/example-01.cfg , the Python script is (hopefully) readable and clearly shows the intent of the resulting configuration: * redirect everything via HTTPS; * redirect `example.com` to `www.example.com`; * redirect `/admin/*` to `admin.example.com/admin/*`, same for `/blog/*`; * apply authentication for `admin`; * force some caching headers for `web`, `static` and `media`; * apply some "sanity" checks to requests / responses (i.e. except admin, the rest should only serve `GET` requests); * deny any request that doesn't match a set of domains The resulting file is around 639 lines, and (given how I've chosen to identify ACL's) is quite hard to "follow by hand". So my question now is how do I test it... Fire HTTP requests at it! :) I hope this gives everyone a glimpse into my use-case, Ciprian.