RE: http-response add-header
Sure, I think this is a standard solution, if someone else need it: capture data in request stage (in Frontend or Backend): http-request set-var(txn.req_host) req.hdr(Host)-> capture header host part of the request in variable req_host1 (transaction scope) use data capture in request stage for the response stage (in Frontend or Backend): acl is_something var(txn.req_host) -i www.url1.com<http://www.url1.com> http-response set-header X-Frame-Options SAMEORIGIN if !is_something It is also possible to use capture.req… for some data (ex: capture.req.uri). I found no simple capture.req… solution for Host data. I suppose using “capture” and “vars” is the same for haproxy internals. [APK] [Unione] mlist APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158 sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 www.apkappa.it<http://www.apkappa.it> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system. -Original Message- From: Aleksandar Lazic Sent: lunedì 25 giugno 2018 11:40 To: mlist ; 'Jarno Huuskonen' Cc: 'haproxy@formilux.org' Subject: Re: http-response add-header Hi. Am 25.06.2018 um 09:49 schrieb mlist: > You're right. Meanwhile I found a working version using set-vat on > http-request. It would be nice when you share the solution, here or in any blog post, Thank you > Thank you Best regards Aleks > *APKAPPA s.r.l. *sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. > IT-08543640158 > > sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A > 42123 > - sede operativa Magenta (MI) via Milano 89/91 20013 > www.apkappa.it<http://www.apkappa.it> <http://www.apkappa.it> > > ** > > > > ** > > > Ai sensi e per gli effetti della Legge sulla tutela della riservatezza > personale > (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone > sopra indicate e le informazioni in essa contenute sono da considerarsi > strettamente riservate. > > This email is confidential, do not use the contents for any purpose whatsoever > nor disclose them to anyone else. If you are not the intended recipient, you > should not copy, modify, distribute or take any action in reliance on it. If > you > have received this email in error, please notify the sender and delete this > email from your system. > > > > > > > -Original Message- > From: Jarno Huuskonen mailto:jarno.huusko...@uef.fi>> > Sent: lunedì 25 giugno 2018 09:01 > To: mlist mailto:ml...@apkappa.it>> > Cc: 'haproxy@formilux.org' mailto:haproxy@formilux.org>> > Subject: Re: http-response add-header > > Hi, > > On Sat, Jun 23, mlist wrote: >> using this config no header is added to client from haproxy: >> >> acl is_test hdr_dom(host) -i www.url1.url2.com<http://www.url1.url2.com> >> >> http-response add-header X-Custom-Header YES if is_test > > Most likely the host header is not available for the http-response/acl. > > For example with this config: > frontend test_fe >bind ipv4@127.0.0.1:8080<mailto:ipv4@127.0.0.1:8080> >acl is_test hdr_dom(host) -i www.url1.url2.com<http://www.url1.url2.com> >http-response add-header X-Custom-Header YES if is_test >default_backend test_be > > backend test_be >http-request deny deny_status 200 > > haproxy complains: > [WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl > 'is_test' > will never match because it only involves keywords that are incompatible with > 'frontend http-response header rule' > > You can use captures / variables to "store" the host header: > https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/ > > So for example: > frontend test_fe >bind ipv4@127.0.0.1:8080<mailto:ipv4@127.0.0.1:8080> > declare capture request len 64 > http-request capture req.hdr(Host) id 0 >acl is_test capture.req.hdr(0) -m beg -i > www.url1.url2.com<http://www.url1.url2.com> >http-response add-header X-Custom-Header YES if is_test > > -Jarno > > -- > Jarno Huuskonen >
RE: http-response add-header
You're right. Meanwhile I found a working version using set-vat on http-request. Thank you [APK] [Unione] mlist APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158 sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 www.apkappa.it<http://www.apkappa.it> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail ? destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system. -Original Message- From: Jarno Huuskonen Sent: luned? 25 giugno 2018 09:01 To: mlist Cc: 'haproxy@formilux.org' Subject: Re: http-response add-header Hi, On Sat, Jun 23, mlist wrote: > using this config no header is added to client from haproxy: > > acl is_test hdr_dom(host) -i www.url1.url2.com > > http-response add-header X-Custom-Header YES if is_test Most likely the host header is not available for the http-response/acl. For example with this config: frontend test_fe bind ipv4@127.0.0.1:8080 acl is_test hdr_dom(host) -i www.url1.url2.com http-response add-header X-Custom-Header YES if is_test default_backend test_be backend test_be http-request deny deny_status 200 haproxy complains: [WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl 'is_test' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule' You can use captures / variables to "store" the host header: https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/ So for example: frontend test_fe bind ipv4@127.0.0.1:8080 declare capture request len 64 http-request capture req.hdr(Host) id 0 acl is_test capture.req.hdr(0) -m beg -i www.url1.url2.com http-response add-header X-Custom-Header YES if is_test -Jarno -- Jarno Huuskonen
Re: http-response add-header
Hi, On Sat, Jun 23, mlist wrote: > using this config no header is added to client from haproxy: > > acl is_test hdr_dom(host) -i www.url1.url2.com > > http-response add-header X-Custom-Header YES if is_test Most likely the host header is not available for the http-response/acl. For example with this config: frontend test_fe bind ipv4@127.0.0.1:8080 acl is_test hdr_dom(host) -i www.url1.url2.com http-response add-header X-Custom-Header YES if is_test default_backend test_be backend test_be http-request deny deny_status 200 haproxy complains: [WARNING] 175/094858 (14971) : parsing [tmp_resp_header.conf:24] : acl 'is_test' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule' You can use captures / variables to "store" the host header: https://www.haproxy.com/blog/whats-new-in-haproxy-1-6/ So for example: frontend test_fe bind ipv4@127.0.0.1:8080 declare capture request len 64 http-request capture req.hdr(Host) id 0 acl is_test capture.req.hdr(0) -m beg -i www.url1.url2.com http-response add-header X-Custom-Header YES if is_test -Jarno -- Jarno Huuskonen
http-response add-header
Hi, haproxy 1.8.10 using this config no header is added to client from haproxy: acl is_test hdr_dom(host) -i www.url1.url2.com http-response add-header X-Custom-Header YES if is_test We are sure “acl is_test hdr_dom(host) -i www.url1.url2.com<http://www.url1.url2.com>” is match as ssl redirect works for the same acl: redirect scheme https code 301 if !is_test !{ ssl_fc } if we change to: http-response add-header X-Custom-Header YES if !is_test haproxy add this header to all response regardless also for request from www.url1.url2.com [APK] [Unione] mlist APKAPPA s.r.l. sede legale Via F. Albani, 21 20149 Milano | p.iva/vat no. IT-08543640158 sede amministrativa e operativa Reggio Emilia (RE) via M. K. Gandhi, 24/A 42123 - sede operativa Magenta (MI) via Milano 89/91 20013 www.apkappa.it<http://www.apkappa.it> Ai sensi e per gli effetti della Legge sulla tutela della riservatezza personale (DL.gs. 196/03 e collegate), questa mail è destinata unicamente alle persone sopra indicate e le informazioni in essa contenute sono da considerarsi strettamente riservate. This email is confidential, do not use the contents for any purpose whatsoever nor disclose them to anyone else. If you are not the intended recipient, you should not copy, modify, distribute or take any action in reliance on it. If you have received this email in error, please notify the sender and delete this email from your system.
Issue with http-response add-header and ACLs
So I am trying to set some new rules - since I don't have anything hand to echo requests back to me, I'm using http-response add-header so I can verify my rules work with curl. Added to haproxy.cfg: acl test_origin hdr(X-TEST-IP) -m ip -f /etc/haproxy/acl/test.acl http-response add-header X-Test test http-response add-header X-Test internal if test_origin #http-request deny if test_origin Added to /etc/haproxy/acl/test.acl 127.0.0.3 I expect that when I do: curl -vvv -H "X-TEST-IP: 127.0.0.3" http://127.0.0.1:4089/ That I would get a response that included two X-Test headers - however I am only seeing the first one. "X-Test: test". If I uncomment the "deny" rule then the request will be denied, so I believe the the acl is working. If I change the "if test_origin" to "if !test_origin" then I'll see the second header, so I think the if is being parsed at least. However I don't know why I'm not seeing the header in the case above.
Re: Issue with http-response add-header and ACLs
Hi, Le 01/10/2015 20:56, CJ Ess a écrit : So I am trying to set some new rules - since I don't have anything hand to echo requests back to me, I'm using http-response add-header so I can verify my rules work with curl. Added to haproxy.cfg: acl test_origin hdr(X-TEST-IP) -m ip -f /etc/haproxy/acl/test.acl http-response add-header X-Test test http-response add-header X-Test internal if test_origin #http-request deny if test_origin Added to /etc/haproxy/acl/test.acl 127.0.0.3 I expect that when I do: curl -vvv -H "X-TEST-IP: 127.0.0.3" http://127.0.0.1:4089/ That I would get a response that included two X-Test headers - however I am only seeing the first one. "X-Test: test". If I uncomment the "deny" rule then the request will be denied, so I believe the the acl is working. If I change the "if test_origin" to "if !test_origin" then I'll see the second header, so I think the if is being parsed at least. You're trying to apply an acl on a request header during the response processing, hence such header is not available anymore in the buffer. You should look at the warning during haproxy init, you'll probably have : "acl 'test_origin' will never match because it only involves keywords that are incompatible with 'backend http-response header rule'" With the 1.6 dev branch, you can use variables to store the request value in the session : http-request set-var(sess.X_TEST_IP) hdr(X-TEST-IP) acl test_origin var(sess.X_TEST_IP) -m -f /etc/haproxy/acl/test.acl During the request processing, the header is stored at the session scope, which will be available during the response processing. -- Cyril Bonté
Re: Issue with http-response add-header and ACLs
Cyril, that makes perfect sense but I wouldn't have thought of it. Thank you for pointing me the right direction! On Thu, Oct 1, 2015 at 4:39 PM, Cyril Bonté <cyril.bo...@free.fr> wrote: > Hi, > > Le 01/10/2015 20:56, CJ Ess a écrit : > >> So I am trying to set some new rules - since I don't have anything hand >> to echo requests back to me, I'm using http-response add-header so I can >> verify my rules work with curl. >> >> Added to haproxy.cfg: >> >> acl test_origin hdr(X-TEST-IP) -m ip -f /etc/haproxy/acl/test.acl >> http-response add-header X-Test test >> http-response add-header X-Test internal if test_origin >> #http-request deny if test_origin >> Added to /etc/haproxy/acl/test.acl >> >> 127.0.0.3 >> >> I expect that when I do: curl -vvv -H "X-TEST-IP: 127.0.0.3" >> http://127.0.0.1:4089/ >> >> That I would get a response that included two X-Test headers - however I >> am only seeing the first one. "X-Test: test". >> >> If I uncomment the "deny" rule then the request will be denied, so I >> believe the the acl is working. >> >> If I change the "if test_origin" to "if !test_origin" then I'll see the >> second header, so I think the if is being parsed at least. >> > > You're trying to apply an acl on a request header during the response > processing, hence such header is not available anymore in the buffer. > > You should look at the warning during haproxy init, you'll probably have : > "acl 'test_origin' will never match because it only involves keywords that > are incompatible with 'backend http-response header rule'" > > With the 1.6 dev branch, you can use variables to store the request value > in the session : > http-request set-var(sess.X_TEST_IP) hdr(X-TEST-IP) > acl test_origin var(sess.X_TEST_IP) -m -f /etc/haproxy/acl/test.acl > > During the request processing, the header is stored at the session scope, > which will be available during the response processing. > > > -- > Cyril Bonté >
Re: http-response add-header and stats enable
On Mon, Aug 17, 2015 at 10:35 AM, Lukas Erlacher erlac...@in.tum.de wrote: Hi Lukas, Actually, you're setting response headers with data available only at the request time. This is not possible in HAProxy 1.5 This will be possible in HAProxy 1.6 using the capture statement. Baptiste Hi, thanks for that info. Is there any way to make haproxy tell me these things? Luke Hi Luke, As I said, with the capture statement: http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-request Look for 'capture' keyword. Baptiste
Re: http-response add-header and stats enable
Hi, On 08/19/2015 05:21 PM, Baptiste wrote: Hi, thanks for that info. Is there any way to make haproxy tell me these things? Luke Hi Luke, As I said, with the capture statement: http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#http-request Look for 'capture' keyword. Baptiste Sorry, I guess I expressed myself in an unclear way - I mean some kind of logging that tells me when I use configuration lines that don't work given the context.
http-response add-header and stats enable
Hello, I'm a new haproxy user (using haproxy 1.5) and I'm running into a few hitches. I made a stats backend: backend bk_stats log global mode http stats enable stats uri / stats scope ft_submission stats scope bk_postfix And because I wanted to have users authed by ssl client certificate, I put some http-response add-header statements into the frontend for debugging: frontend ft_stats log global mode http bind 131.159.42.4:443 ssl crt myserver.combined.key.pem ca-file mycafile.pem verify required no-sslv3 no-tlsv10 no-tlsv11 http-response add-header X-SSL-Client-CN %[ssl_c_s_dn(cn)] http-response add-header X-SSL-Client-E %[ssl_c_s_dn(emailAddress)] http-response add-header X-SSL-Client-DN %[ssl_c_s_dn] acl cn_allowed ssl_c_s_dn(emailAddress) -f /etc/haproxy/haproxy_admins #acl cn_allowed always_true use_backend bk_ssl_error unless cn_allowed default_backend bk_stats However, these headers won't show up in the response. They also won't show up if I put the add-header statements into the backend. It seems that stats enable disregards http-response lines. There is a stats http-request option but that doesn't allow adding any headers. As a workaround I just shimmed in another frontend and backend where I put the http-request add-header lines. [1] I believe that this is a bug, at least in the way that nothing in the documentation hints that http-request add-header in a /frontend/ will be ignored if the /backend/ has stats enabled. In fact, the documentation for http-response [2] states Since these rules apply on responses, the backend rules are applied first, followed by the frontend's rules. So whatever response the backend delivers to the frontend should have no influence on the headers being added by the frontend. Can anyone more experienced with haproxy tell me if this is really a bug or if I am just doing something wrong? Best regards, Luke [1] http://ix.io/kiO [2] https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-response
Re: http-response add-header and stats enable
On Mon, Aug 17, 2015 at 9:54 AM, Lukas Erlacher erlac...@in.tum.de wrote: Hello, I'm a new haproxy user (using haproxy 1.5) and I'm running into a few hitches. I made a stats backend: backend bk_stats log global mode http stats enable stats uri / stats scope ft_submission stats scope bk_postfix And because I wanted to have users authed by ssl client certificate, I put some http-response add-header statements into the frontend for debugging: frontend ft_stats log global mode http bind 131.159.42.4:443 ssl crt myserver.combined.key.pem ca-file mycafile.pem verify required no-sslv3 no-tlsv10 no-tlsv11 http-response add-header X-SSL-Client-CN %[ssl_c_s_dn(cn)] http-response add-header X-SSL-Client-E %[ssl_c_s_dn(emailAddress)] http-response add-header X-SSL-Client-DN %[ssl_c_s_dn] acl cn_allowed ssl_c_s_dn(emailAddress) -f /etc/haproxy/haproxy_admins #acl cn_allowed always_true use_backend bk_ssl_error unless cn_allowed default_backend bk_stats However, these headers won't show up in the response. They also won't show up if I put the add-header statements into the backend. It seems that stats enable disregards http-response lines. There is a stats http-request option but that doesn't allow adding any headers. As a workaround I just shimmed in another frontend and backend where I put the http-request add-header lines. [1] I believe that this is a bug, at least in the way that nothing in the documentation hints that http-request add-header in a /frontend/ will be ignored if the /backend/ has stats enabled. In fact, the documentation for http-response [2] states Since these rules apply on responses, the backend rules are applied first, followed by the frontend's rules. So whatever response the backend delivers to the frontend should have no influence on the headers being added by the frontend. Can anyone more experienced with haproxy tell me if this is really a bug or if I am just doing something wrong? Best regards, Luke [1] http://ix.io/kiO [2] https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-response Hi Lukas, Actually, you're setting response headers with data available only at the request time. This is not possible in HAProxy 1.5 This will be possible in HAProxy 1.6 using the capture statement. Baptiste
Re: http-response add-header and stats enable
Hi Lukas, Actually, you're setting response headers with data available only at the request time. This is not possible in HAProxy 1.5 This will be possible in HAProxy 1.6 using the capture statement. Baptiste Hi, thanks for that info. Is there any way to make haproxy tell me these things? Luke