Re: Order of acls not important?

2018-03-16 Thread Stefan Husch|qutic development 
Hit Tim,

> The ACLs order is not relevant, I recommend to group them all together

Thx a lot, it is now working with your advice!

Best regards,
Stefan

Re: Order of acls not important?

2018-03-15 Thread Tim Düsterhus 
Stefan,

Am 15.03.2018 um 21:24 schrieb Stefan Husch|qutic development:
> frontend 10.10.10.10_80
>bind 10.10.10.10:80 name 10.10.10.10:80 
>mode http
>option http-keep-alive
>option log-separate-errors
>option httplog
>acl acl_1 path_beg -i /.well-known/acme-challenge/
>use_backend acme_challenge_backend if acl_1
>acl acl_2 hdr_reg(host) -i \b(?:\d{1,3}\.){3}\d{1,3}\b
>http-request redirect code 301 location https://example.com if acl_2
>acl acl_3 req.proto_http
>http-request redirect scheme https code 301 if acl_3
> 
> I thought the acls are processed from 1 to 3, but the curl result is not 
> going to the acme_challenge_backend, but doing a https redirect.

The ACLs order is not relevant, I recommend to group them all together
at the top (and give them meaningful names) and then act on them at the
bottom. Here's an example excerpt of my config:

> acl  acme_challenge  path_beg  /.well-known/acme-challenge/
> acl  example.com hdr(host)  -i  example.com
> # repeat for other domains
>
> redirect  code  301  scheme  https  if  !acme_challenge 
> example.com
> # repeat for other domains
>
> use_backend bk_letsencrypt if acme_challenge

Basically add the !acme_challenge to your redirects. Another possibility
is to add the acme-challenge logic to your HTTPS backend, Let's Encrypt
follows redirects. This does require an existing certificate for your
domains though.

The HTTP protocol (without 's') is implied for your frontend, as you
only listen on port 80, that might simplify your configuration as well.

Best regards
Tim Düsterhus

Re: Order of acls not important?

2018-03-15 Thread PiBa-NL 

Hi,

Op 15-3-2018 om 21:24 schreef Stefan Husch|qutic development:

I thought the acls are processed from 1 to 3,

Acl's are evaluated where they are used.


What am I doing wrong? Is the acl-position in a haproxy-config not important?

Thx, Stefan


The order of the acl's themselves is not relevant.

However you should iirc get a warning that the http-request will be 
processed before the use_backend directive.


Regards,

PiBa-NL

Order of acls not important?

2018-03-15 Thread Stefan Husch|qutic development 
Hi,

this might be asked before, but I didn´t found the answer yet.

The following haproxy.config has the goal to use lets encrypt and https 
redirect together on a frontend.

frontend 10.10.10.10_80
bind 10.10.10.10:80 name 10.10.10.10:80 
mode http
option http-keep-alive
option log-separate-errors
option httplog
acl acl_1 path_beg -i /.well-known/acme-challenge/
use_backend acme_challenge_backend if acl_1
acl acl_2 hdr_reg(host) -i \b(?:\d{1,3}\.){3}\d{1,3}\b
http-request redirect code 301 location https://example.com if acl_2
acl acl_3 req.proto_http
http-request redirect scheme https code 301 if acl_3

I thought the acls are processed from 1 to 3, but the curl result is not going 
to the acme_challenge_backend, but doing a https redirect.

$ curl -i http://example.com/.well-known/acme-challenge/
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://example.com/.well-known/acme-challenge/

What am I doing wrong? Is the acl-position in a haproxy-config not important?

Thx, Stefan