Hi Cyril,
Thank you for enlightening me.. we'll correct that mistake :)
Cyril Bonté wrote on 02/24/2015 09:20 AM:
Hi Klavs,
Le 24/02/2015 08:56, Klavs Klavsen a écrit :
Hi guys,
A colleague just found an issue last night, where this acl:
acl is_kk-dk hdr_end(host) -i kkdk3.testkkdk.kk.dk hdr(host) -i
readonly.kk.dk hdr(host) -i readonly.testkkdk.kk.dk hdr(host) -i
www.testkkdk.kk.dk hdr(host) -i kktest.kk.dk hdr(host) -i www.kk.dk
hdr(host) -i kk.dk
This is not how acls are supposed to be declared.
Here, you are specefying only one acl based on hdr_end(host), followed
by any value following. Here, it means that "hdr(host)" is considered as
a value.
matches hosts like hest.kk.dk :(
Indeed, because the last value "kk.dk" matches the real acl hdr_end(host)
He changed the first: hdr_end(host) to just hdr(host) - and it worked as
it should..
it seems if you use hdr_end on first match- that is used on the rest
even though it shouldn't ?
No, it really should.
I guess you wanted to have :
acl is_kk-dk hdr_end(host) -i kkdk3.testkkdk.kk.dk
acl is_kk-dk hdr(host) -i readonly.kk.dk readonly.testkkdk.kk.dk
www.testkkdk.kk.dk kktest.kk.dk www.kk.dk kk.dk
We're running haproxy 1.5.11 on those boxes.
--
Regards,
Klavs Klavsen, GSEC - k...@vsen.dk - http://www.vsen.dk - Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
