Re: Order of acls not important?
Hit Tim, > The ACLs order is not relevant, I recommend to group them all together Thx a lot, it is now working with your advice! Best regards, Stefan
Re: Order of acls not important?
Stefan, Am 15.03.2018 um 21:24 schrieb Stefan Husch|qutic development: > frontend 10.10.10.10_80 >bind 10.10.10.10:80 name 10.10.10.10:80 >mode http >option http-keep-alive >option log-separate-errors >option httplog >acl acl_1 path_beg -i /.well-known/acme-challenge/ >use_backend acme_challenge_backend if acl_1 >acl acl_2 hdr_reg(host) -i \b(?:\d{1,3}\.){3}\d{1,3}\b >http-request redirect code 301 location https://example.com if acl_2 >acl acl_3 req.proto_http >http-request redirect scheme https code 301 if acl_3 > > I thought the acls are processed from 1 to 3, but the curl result is not > going to the acme_challenge_backend, but doing a https redirect. The ACLs order is not relevant, I recommend to group them all together at the top (and give them meaningful names) and then act on them at the bottom. Here's an example excerpt of my config: > acl acme_challenge path_beg /.well-known/acme-challenge/ > acl example.com hdr(host) -i example.com > # repeat for other domains > > redirect code 301 scheme https if !acme_challenge > example.com > # repeat for other domains > > use_backend bk_letsencrypt if acme_challenge Basically add the !acme_challenge to your redirects. Another possibility is to add the acme-challenge logic to your HTTPS backend, Let's Encrypt follows redirects. This does require an existing certificate for your domains though. The HTTP protocol (without 's') is implied for your frontend, as you only listen on port 80, that might simplify your configuration as well. Best regards Tim Düsterhus
Re: Order of acls not important?
Hi, Op 15-3-2018 om 21:24 schreef Stefan Husch|qutic development: I thought the acls are processed from 1 to 3, Acl's are evaluated where they are used. What am I doing wrong? Is the acl-position in a haproxy-config not important? Thx, Stefan The order of the acl's themselves is not relevant. However you should iirc get a warning that the http-request will be processed before the use_backend directive. Regards, PiBa-NL
Order of acls not important?
Hi, this might be asked before, but I didn´t found the answer yet. The following haproxy.config has the goal to use lets encrypt and https redirect together on a frontend. frontend 10.10.10.10_80 bind 10.10.10.10:80 name 10.10.10.10:80 mode http option http-keep-alive option log-separate-errors option httplog acl acl_1 path_beg -i /.well-known/acme-challenge/ use_backend acme_challenge_backend if acl_1 acl acl_2 hdr_reg(host) -i \b(?:\d{1,3}\.){3}\d{1,3}\b http-request redirect code 301 location https://example.com if acl_2 acl acl_3 req.proto_http http-request redirect scheme https code 301 if acl_3 I thought the acls are processed from 1 to 3, but the curl result is not going to the acme_challenge_backend, but doing a https redirect. $ curl -i http://example.com/.well-known/acme-challenge/ HTTP/1.1 301 Moved Permanently Content-length: 0 Location: https://example.com/.well-known/acme-challenge/ What am I doing wrong? Is the acl-position in a haproxy-config not important? Thx, Stefan