Re: Using the socket interface to access ACLs
On Thu, Jul 3, 2014 at 5:59 AM, Baptiste bed...@gmail.com wrote: On Thu, Jul 3, 2014 at 2:24 PM, Thierry FOURNIER tfourn...@haproxy.com wrote: On Tue, 1 Jul 2014 23:00:13 +0200 Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste Hi You can modify ACL without file. The identifier is the number prefixed by the char '#', like this: add acl #1 127.0.0.1 get acl is used to debug acl. Thierry Yes, but acl number is not reliable, since it can change in time. Furthermore, it's easier to update content of a flat file than updating ACL values in HAproxy's configuration. Baptiste Here is my config for reference: global daemon maxconn 4096 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid uid 99 gid 99 stats socket /var/lib/haproxy/stats level admin defaults mode http timeout connect 5000ms timeout client 5ms timeout server 5ms frontend 01-fend-in bind localhost:80 default_backend 01_bend acl myacl hdr(Host) -f /root/myacl #acl redir_true always_false redirect code 307 location http://example.com if redir_true backend ffd_bend option httpchk GET / option http-server-close server bend013 localhost:8180 check server bend012 localhost:8180 check Thanks
Re: Using the socket interface to access ACLs
Hi Baptiste et al., Did you see my last comments? Sorry if this is an issue already addressed, but I wasn't able to find anything on usage specifics in the documentation. Thanks, William On Tue, Jul 1, 2014 at 2:49 PM, William Jimenez william.jime...@itsoninc.com wrote: Hi Baptiste I tried: # haproxyctl del acl myacl This command expects two parameters: ACL identifier and key. then i tried this # haproxyctl del acl myacl 0 Unknown map identifier. Please use #id or file. as well as the inverse ('0 myacl') I do see the acl listed though: # haproxyctl show acl # id (file) description 0 (/root/myacl) pattern loaded from file '/root/myacl' used by acl at file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'hdr' file '/etc/haproxy/haproxy.cfg' line 19 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 Also a redirect stmt that uses the aforementioned threw an error when I defined it like you suggested: [ALERT] 180/204636 (5765) : parsing [/etc/haproxy/haproxy.cfg:31] : error detected in frontend 'x' while parsing redirect rule : error in condition: no such ACL : 'redir_true'. -William On Tue, Jul 1, 2014 at 2:42 PM, Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 11:16 PM, William Jimenez william.jime...@itsoninc.com wrote: Hi Baptiste, thank you for the response. I'm afraid I still don't follow. Say I have the an ACL that I want to toggle from its current state (as defined in the flat file) to 'always_false'. I can see it exists from the output of the 'show acl' command: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 So to modify it I assume I would run something using 'add acl'. I thought you mentioned it needs to be defined in a file so I tried: # haproxyctl add acl myacl 'add acl' expects two parameters: ACL identifier and pattern. where 'myacl' is a file containing: acl redir_true always_true Hope that helps clarify the situation. What am I doing wrong? Thanks in advance, William On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste -- William Jimenez Systems Engineer, Operations ItsOn, Inc. 650-241-8470 {us/pacific} Hi William, In your configuration, you should load your acl like this: acl myacl hdr(Host) -f /path/to/myhosthdr.acl then your file acl reference will be myhosthdr.acl. Baptiste -- William Jimenez Systems Engineer, Operations ItsOn, Inc. 650-241-8470 {us/pacific} -- William Jimenez Systems Engineer, Operations ItsOn, Inc. 650-241-8470 {us/pacific}
Using the socket interface to access ACLs
Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks
Re: Using the socket interface to access ACLs
Hi Baptiste, thank you for the response. I'm afraid I still don't follow. Say I have the an ACL that I want to toggle from its current state (as defined in the flat file) to 'always_false'. I can see it exists from the output of the 'show acl' command: # irc://chat.freenode.net:6667/# id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 So to modify it I assume I would run something using 'add acl'. I thought you mentioned it needs to be defined in a file so I tried: # haproxyctl add acl myacl 'add acl' expects two parameters: ACL identifier and pattern. where 'myacl' is a file containing: acl redir_true always_true Hope that helps clarify the situation. What am I doing wrong? Thanks in advance, William On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste -- William Jimenez Systems Engineer, Operations ItsOn, Inc. 650-241-8470 {us/pacific}
Re: Using the socket interface to access ACLs
Hi Baptiste I tried: # haproxyctl del acl myacl This command expects two parameters: ACL identifier and key. then i tried this # haproxyctl del acl myacl 0 Unknown map identifier. Please use #id or file. as well as the inverse ('0 myacl') I do see the acl listed though: # haproxyctl show acl # id (file) description 0 (/root/myacl) pattern loaded from file '/root/myacl' used by acl at file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'hdr' file '/etc/haproxy/haproxy.cfg' line 19 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 Also a redirect stmt that uses the aforementioned threw an error when I defined it like you suggested: [ALERT] 180/204636 (5765) : parsing [/etc/haproxy/haproxy.cfg:31] : error detected in frontend 'x' while parsing redirect rule : error in condition: no such ACL : 'redir_true'. -William On Tue, Jul 1, 2014 at 2:42 PM, Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 11:16 PM, William Jimenez william.jime...@itsoninc.com wrote: Hi Baptiste, thank you for the response. I'm afraid I still don't follow. Say I have the an ACL that I want to toggle from its current state (as defined in the flat file) to 'always_false'. I can see it exists from the output of the 'show acl' command: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 So to modify it I assume I would run something using 'add acl'. I thought you mentioned it needs to be defined in a file so I tried: # haproxyctl add acl myacl 'add acl' expects two parameters: ACL identifier and pattern. where 'myacl' is a file containing: acl redir_true always_true Hope that helps clarify the situation. What am I doing wrong? Thanks in advance, William On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste -- William Jimenez Systems Engineer, Operations ItsOn, Inc. 650-241-8470 {us/pacific} Hi William, In your configuration, you should load your acl like this: acl myacl hdr(Host) -f /path/to/myhosthdr.acl then your file acl reference will be myhosthdr.acl. Baptiste -- William Jimenez Systems Engineer, Operations ItsOn, Inc. 650-241-8470 {us/pacific}