On Wed, Dec 18, 2019 at 6:47 PM Илья Шипицин <chipits...@gmail.com> wrote:
> you are talking about testing ACL. can you provide some example ?


So let's assume I have a given HAProxy configuration, full of ACL's
and rules, that apply certain "firewalling", authentication /
authorization, "mangling" operations to the HTTP request (e.g. drop
"bad-bots", update headers, redirects, routing to various backends,
etc.).

Now how can I test that the HAProxy configuration actually
"implements" what it's proposes to?  I.e. how can I be sure that the
rules are in the proper order, that no ACL's are missing, etc.

My answer would be:  fire an HTTP request and see if it "does" what it
should.  (Perhaps expose as HTTP headers some "state" values to help
in checking things.)




My concrete example would be this:  I find HAProxy wonderful for any
non trivial HTTP deployment (and in fact anything "touched" by the
Internet);  unfortunately the configuration language (with it's flat
ACL's and request / response rules) is like "assembler" (as opposed to
say Python).  Therefore I've written myself a HAProxy "configurator"
in Python that based on simple Python code generates the full HAProxy
configuration.

For example:

  
https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/example-01.py
  
https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/_configs/example-01.cfg

, the Python script is (hopefully) readable and clearly shows the
intent of the resulting configuration:
* redirect everything via HTTPS;
* redirect `example.com` to `www.example.com`;
* redirect `/admin/*` to `admin.example.com/admin/*`, same for `/blog/*`;
* apply authentication for `admin`;
* force some caching headers for `web`, `static` and `media`;
* apply some "sanity" checks to requests / responses (i.e. except
admin, the rest should only serve `GET` requests);
* deny any request that doesn't match a set of domains

The resulting file is around 639 lines, and (given how I've chosen to
identify ACL's) is quite hard to "follow by hand".

So my question now is how do I test it...  Fire HTTP requests at it!  :)


I hope this gives everyone a glimpse into my use-case,
Ciprian.

Reply via email to