RE: [EXTERNAL] Re: built in ACL, REQ_CONTENT
wrong status, code: 503, info: "Service Unavailable", check duration: 2ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue. Jun 8 16:53:25 ip-172-31-77-193 haproxy[15847]: 172.31.77.187:51070 [08/Jun/2021:16:53:20.487] pg_ingress pg_readonly/tstshd01 5001/0/5010 430 -- 1/1/0/0/0 0/0 Jun 8 16:53:34 ip-172-31-77-193 haproxy[15847]: 172.31.77.187:51084 [08/Jun/2021:16:53:29.840] pg_ingress pg_readonly/tstshd02 5003/0/5011 429 -- 1/1/0/0/0 0/0 Jun 8 16:53:45 ip-172-31-77-193 haproxy[15847]: 172.31.77.187:51096 [08/Jun/2021:16:53:40.112] pg_ingress pg_readonly/tstshd01 5001/0/5002 430 -- 1/1/0/0/0 0/0 From: Lukas Tribus Sent: Tuesday, June 8, 2021 11:33 AM To: Godfrin, Philippe E Cc: jarno.huusko...@uef.fi; haproxy@formilux.org Subject: Re: [EXTERNAL] Re: built in ACL, REQ_CONTENT Use caution when interacting with this [EXTERNAL] email! Hello, On Tue, 8 Jun 2021 at 17:36, Godfrin, Philippe E wrote: > > Certainly, > > Postrgres sends this message across the wire: > > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x00: 00 00 00 4c 00 > 03 00 00 75 73 65 72 00 74 73 64 |...Luser.tsd| > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x10: 62 00 64 61 74 > 61 62 61 73 65 00 74 73 64 62 00 |b.database.tsdb.| > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x20: 61 70 70 6c 69 > 63 61 74 69 6f 6e 5f 6e 61 6d 65 |application_name| > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x30: 00 70 73 71 6c > 00 63 6c 69 65 6e 74 5f 65 6e 63 |.psql.client_enc| > Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x40: 6f 64 69 6e 67 > 00 55 54 46 38 00 00 |oding.UTF8..| > > > > Bytes, 8 – are user\0 Byte 13 starts the userid. I would like to be able to > test that userid and make a routing decision on that. This is what the > HAProxy docs suggest: > > > > acl check-rw req.payload(8,32),hex -m sub 757365720074736462727700 And don't see how this is supposed to match? 62727700 is not what it's in your trace. Is the username tsdb, like in your trace, or is it tsdbrw, like in your ACL? Also, put a "tcp-request inspect-delay 5s" in front of the ACL (you can optimize performance later) and share the entire configuration. Please try to ask the actual question directly next time, so we can help you right away (https://xyproblem.info/). Thanks, Lukas
RE: [EXTERNAL] Re: built in ACL, REQ_CONTENT
Certainly, Postrgres sends this message across the wire: Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x00: 00 00 00 4c 00 03 00 00 75 73 65 72 00 74 73 64 |...Luser.tsd| Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x10: 62 00 64 61 74 61 62 61 73 65 00 74 73 64 62 00 |b.database.tsdb.| Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x20: 61 70 70 6c 69 63 61 74 69 6f 6e 5f 6e 61 6d 65 |application_name| Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x30: 00 70 73 71 6c 00 63 6c 69 65 6e 74 5f 65 6e 63 |.psql.client_enc| Jun 2 21:14:40 ip-172-31-77-193 haproxy[9031]: #0110x40: 6f 64 69 6e 67 00 55 54 46 38 00 00 |oding.UTF8..| Bytes, 8 – are user\0 Byte 13 starts the userid. I would like to be able to test that userid and make a routing decision on that. This is what the HAProxy docs suggest: acl check-rw req.payload(8,32),hex -m sub 757365720074736462727700 use_backend pg_readwrite if check-rw But the ACL never results in true… pg From: Jarno Huuskonen Sent: Tuesday, June 8, 2021 8:35 AM To: Godfrin, Philippe E Cc: haproxy@formilux.org Subject: Re: [EXTERNAL] Re: built in ACL, REQ_CONTENT Use caution when interacting with this [EXTERNAL] email! Hello, On Tue, 2021-06-08 at 12:25 +, Godfrin, Philippe E wrote: > OK, I see. An associated question, how do I gain access to that content to > interrogate/parse the data in that content? req.body (https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7.3.6-req.body) Can you explain a little bit what you're trying to do ? -Jarno > pg > > -Original Message- > From: Lukas Tribus > Sent: Monday, June 7, 2021 4:08 PM > To: Godfrin, Philippe E > Cc: haproxy@formilux.org > Subject: [EXTERNAL] Re: built in ACL, REQ_CONTENT > > Use caution when interacting with this [EXTERNAL] email! > > Hello, > > On Mon, 7 Jun 2021 at 14:51, Godfrin, Philippe E > wrote: > > > > Greetings! > > > > I can’t seem to find instructions on how to use this builtin ACL. Can > > someone point me in the right direction, please? > > There is nothing specific about it, you use just like every other ACL. > > http-request deny if REQ_CONTENT > > http-request deny unless REQ_CONTENT > > > Lukas > > > > -- Jarno Huuskonen
RE: [EXTERNAL] Re: built in ACL, REQ_CONTENT
OK, I see. An associated question, how do I gain access to that content to interrogate/parse the data in that content? pg -Original Message- From: Lukas Tribus Sent: Monday, June 7, 2021 4:08 PM To: Godfrin, Philippe E Cc: haproxy@formilux.org Subject: [EXTERNAL] Re: built in ACL, REQ_CONTENT Use caution when interacting with this [EXTERNAL] email! Hello, On Mon, 7 Jun 2021 at 14:51, Godfrin, Philippe E wrote: > > Greetings! > > I can’t seem to find instructions on how to use this builtin ACL. Can someone > point me in the right direction, please? There is nothing specific about it, you use just like every other ACL. http-request deny if REQ_CONTENT http-request deny unless REQ_CONTENT Lukas
built in ACL, REQ_CONTENT
Greetings! I can’t seem to find instructions on how to use this builtin ACL. Can someone point me in the right direction, please? pg Phil Godfrin | Database Administrator NOV NOV US | Engineering Data 9720 Beechnut St | Houston, Texas 77036 M 281.825.2311 E philippe.godf...@nov.com