Re: Using the socket interface to access ACLs
On Thu, Jul 3, 2014 at 5:59 AM, Baptiste bed...@gmail.com wrote: On Thu, Jul 3, 2014 at 2:24 PM, Thierry FOURNIER tfourn...@haproxy.com wrote: On Tue, 1 Jul 2014 23:00:13 +0200 Baptiste bed...@gmail.com wrote: On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez william.jime...@itsoninc.com wrote: Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks Hi William, In order to be able to update ACL content, they must load their content from a file. The file name will be considered as a 'reference' you can point to when updating content. Don't forget to update simultaneously the content from an ACL and from the flat file to make HAProxy reload reliable :) Baptiste Hi You can modify ACL without file. The identifier is the number prefixed by the char '#', like this: add acl #1 127.0.0.1 get acl is used to debug acl. Thierry Yes, but acl number is not reliable, since it can change in time. Furthermore, it's easier to update content of a flat file than updating ACL values in HAproxy's configuration. Baptiste Here is my config for reference: global daemon maxconn 4096 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid uid 99 gid 99 stats socket /var/lib/haproxy/stats level admin defaults mode http timeout connect 5000ms timeout client 5ms timeout server 5ms frontend 01-fend-in bind localhost:80 default_backend 01_bend acl myacl hdr(Host) -f /root/myacl #acl redir_true always_false redirect code 307 location http://example.com if redir_true backend ffd_bend option httpchk GET / option http-server-close server bend013 localhost:8180 check server bend012 localhost:8180 check Thanks
Re: Using the socket interface to access ACLs
Hi Baptiste et al.,
Did you see my last comments? Sorry if this is an issue already addressed,
but I wasn't able to find anything on usage specifics in the documentation.
Thanks,
William
On Tue, Jul 1, 2014 at 2:49 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hi Baptiste
I tried:
# haproxyctl del acl myacl
This command expects two parameters: ACL identifier and key.
then i tried this
# haproxyctl del acl myacl 0
Unknown map identifier. Please use #id or file.
as well as the inverse ('0 myacl')
I do see the acl listed though:
# haproxyctl show acl
# id (file) description
0 (/root/myacl) pattern loaded from file '/root/myacl' used by acl at
file '/etc/haproxy/haproxy.cfg' line 19
1 () acl 'hdr' file '/etc/haproxy/haproxy.cfg' line 19
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
Also a redirect stmt that uses the aforementioned threw an error when I
defined it like you suggested:
[ALERT] 180/204636 (5765) : parsing [/etc/haproxy/haproxy.cfg:31] : error
detected in frontend 'x' while parsing redirect rule : error in condition:
no such ACL : 'redir_true'.
-William
On Tue, Jul 1, 2014 at 2:42 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 11:16 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hi Baptiste, thank you for the response. I'm afraid I still don't
follow.
Say I have the an ACL that I want to toggle from its current state (as
defined in the flat file) to 'always_false'. I can see it exists from
the
output of the 'show acl' command:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
So to modify it I assume I would run something using 'add acl'. I
thought
you mentioned it needs to be defined in a file so I tried:
# haproxyctl add acl myacl
'add acl' expects two parameters: ACL identifier and pattern.
where 'myacl' is a file containing:
acl redir_true always_true
Hope that helps clarify the situation. What am I doing wrong?
Thanks in advance,
William
On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hello
I am trying to modify ACLs via the socket interface. When I try to do
something like 'get acl', I get an error:
Missing ACL identifier and/or key.
How do I find the ACL identifier or key for a specific ACL? I see the
list
of ACLs when i do a 'show acl', but unsure which of these values is
the
file
or key:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22
Thanks
Hi William,
In order to be able to update ACL content, they must load their
content from a file.
The file name will be considered as a 'reference' you can point to
when updating content.
Don't forget to update simultaneously the content from an ACL and from
the flat file to make HAProxy reload reliable :)
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
Hi William,
In your configuration, you should load your acl like this:
acl myacl hdr(Host) -f /path/to/myhosthdr.acl
then your file acl reference will be myhosthdr.acl.
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
Using the socket interface to access ACLs
Hello I am trying to modify ACLs via the socket interface. When I try to do something like 'get acl', I get an error: Missing ACL identifier and/or key. How do I find the ACL identifier or key for a specific ACL? I see the list of ACLs when i do a 'show acl', but unsure which of these values is the file or key: # id (file) description 0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19 1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20 2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21 3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22 Thanks
Re: Using the socket interface to access ACLs
Hi Baptiste, thank you for the response. I'm afraid I still don't follow.
Say I have the an ACL that I want to toggle from its current state (as
defined in the flat file) to 'always_false'. I can see it exists from the
output of the 'show acl' command:
# irc://chat.freenode.net:6667/# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
So to modify it I assume I would run something using 'add acl'. I thought
you mentioned it needs to be defined in a file so I tried:
# haproxyctl add acl myacl
'add acl' expects two parameters: ACL identifier and pattern.
where 'myacl' is a file containing:
acl redir_true always_true
Hope that helps clarify the situation. What am I doing wrong?
Thanks in advance,
William
On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hello
I am trying to modify ACLs via the socket interface. When I try to do
something like 'get acl', I get an error:
Missing ACL identifier and/or key.
How do I find the ACL identifier or key for a specific ACL? I see the
list
of ACLs when i do a 'show acl', but unsure which of these values is the
file
or key:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22
Thanks
Hi William,
In order to be able to update ACL content, they must load their
content from a file.
The file name will be considered as a 'reference' you can point to
when updating content.
Don't forget to update simultaneously the content from an ACL and from
the flat file to make HAProxy reload reliable :)
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
Re: Using the socket interface to access ACLs
Hi Baptiste
I tried:
# haproxyctl del acl myacl
This command expects two parameters: ACL identifier and key.
then i tried this
# haproxyctl del acl myacl 0
Unknown map identifier. Please use #id or file.
as well as the inverse ('0 myacl')
I do see the acl listed though:
# haproxyctl show acl
# id (file) description
0 (/root/myacl) pattern loaded from file '/root/myacl' used by acl at file
'/etc/haproxy/haproxy.cfg' line 19
1 () acl 'hdr' file '/etc/haproxy/haproxy.cfg' line 19
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
Also a redirect stmt that uses the aforementioned threw an error when I
defined it like you suggested:
[ALERT] 180/204636 (5765) : parsing [/etc/haproxy/haproxy.cfg:31] : error
detected in frontend 'x' while parsing redirect rule : error in condition:
no such ACL : 'redir_true'.
-William
On Tue, Jul 1, 2014 at 2:42 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 11:16 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hi Baptiste, thank you for the response. I'm afraid I still don't follow.
Say I have the an ACL that I want to toggle from its current state (as
defined in the flat file) to 'always_false'. I can see it exists from the
output of the 'show acl' command:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
So to modify it I assume I would run something using 'add acl'. I thought
you mentioned it needs to be defined in a file so I tried:
# haproxyctl add acl myacl
'add acl' expects two parameters: ACL identifier and pattern.
where 'myacl' is a file containing:
acl redir_true always_true
Hope that helps clarify the situation. What am I doing wrong?
Thanks in advance,
William
On Tue, Jul 1, 2014 at 2:00 PM, Baptiste bed...@gmail.com wrote:
On Tue, Jul 1, 2014 at 10:54 PM, William Jimenez
william.jime...@itsoninc.com wrote:
Hello
I am trying to modify ACLs via the socket interface. When I try to do
something like 'get acl', I get an error:
Missing ACL identifier and/or key.
How do I find the ACL identifier or key for a specific ACL? I see the
list
of ACLs when i do a 'show acl', but unsure which of these values is
the
file
or key:
# id (file) description
0 () acl 'always_true' file '/etc/haproxy/haproxy.cfg' line 19
1 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 20
2 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 21
3 () acl 'src' file '/etc/haproxy/haproxy.cfg' line 22
Thanks
Hi William,
In order to be able to update ACL content, they must load their
content from a file.
The file name will be considered as a 'reference' you can point to
when updating content.
Don't forget to update simultaneously the content from an ACL and from
the flat file to make HAProxy reload reliable :)
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
Hi William,
In your configuration, you should load your acl like this:
acl myacl hdr(Host) -f /path/to/myhosthdr.acl
then your file acl reference will be myhosthdr.acl.
Baptiste
--
William Jimenez
Systems Engineer, Operations
ItsOn, Inc.
650-241-8470 {us/pacific}
