RE: Feature suggestion: Check for same binding on multiple frontends

[Moomjian, Chad]

Thanks for the information, Lukas. I'm confused why this is not a default 
option though. Can you think of a time when you would ever want the exact same 
binding in multiple places in the config?

-Original Message-
From: lu...@ltri.eu [mailto:lu...@ltri.eu] 
Sent: Wednesday, March 7, 2018 3:21 AM
To: Moomjian, Chad <cmoomj...@outmatch.com>
Cc: haproxy@formilux.org
Subject: Re: Feature suggestion: Check for same binding on multiple frontends

Hello Chad,


On 7 March 2018 at 03:34, Moomjian, Chad <cmoomj...@outmatch.com> wrote:
> Haproxy Developers,
>
>
>
> I recently modified a configuration file for haproxy, and after 
> setting it up, I noticed that about half of my requests came back with 
> a 503 error, and the other half came back with the correct elements being 
> returned.
>
>
>
> After doing troubleshooting involving a test haproxy instance and 
> changing the IP address, I realized that I had mistakenly added the 
> same IP binding, 10.x.x.11:443, in two different frontends. As a 
> result, half of my requests had no matching path (we don’t use a 
> default backend), and the other half were using responding correctly.
>
>
>
> Since I cannot think of a time when this would be desired behavior, 
> would it be possible to add a check on haproxy startup for the exact 
> same IP binding in multiple frontends of the same config file? This 
> could save me and others from possibly making this mistake in the future.

You can set noreuseport in the global section to guarantee that there is only a 
single socket bound to a port:

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#3.2-noreuseport



Lukas

RE: Issues with question mark in http-request deny

[Moomjian, Chad]

Thank you very much for this information. This is exactly what I was looking 
for.

Regards,
Chad

From: Michael Ezzell [mailto:mich...@ezzell.net]
Sent: Tuesday, June 27, 2017 3:28 PM
To: Moomjian, Chad <cmoomj...@outmatch.com>
Cc: haproxy@formilux.org
Subject: Re: Issues with question mark in http-request deny



On Tue, Jun 27, 2017 at 3:56 PM, Moomjian, Chad 
<cmoomj...@outmatch.com<mailto:cmoomj...@outmatch.com>> wrote:
Hi,

I am running haproxy v1.6.4, and I am attempting to block a specific request 
regex pattern. I am encountering issues with matching the question mark in the 
request. What I would like to block is requests that match this pattern:
/api/…/…/sql?


​The ? is the delimiter between path and query string (collectively, the 
"request URI").  It isn't valid for ? to appear in the path, so your regexes 
testing for this against the path fetch will never match.

You're looking for something more like this:

acl uri_sql capture.req.uri -m reg -i ​^/api/(.*)?/sql\?.*$

​http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#7.3.6-capture.req.uri​<​http:/cbonte.github.io/haproxy-dconv/1.6/configuration.html#7.3.6-capture.req.uri​>

Issues with question mark in http-request deny

[Moomjian, Chad]

Hi,

I am running haproxy v1.6.4, and I am attempting to block a specific request 
regex pattern. I am encountering issues with matching the question mark in the 
request. What I would like to block is requests that match this pattern:
/api/.../.../sql?

I would like to include the question mark on the end of the "/sql" but I am 
unable to find a regex string that works for this in haproxy. I have tried the 
following ACL's which all worked in various regex testing sites (including ones 
specifically for posix regex, e.g. http://regjex.com):
acl uri_sql path_reg -i ^/api/(.*)?/sql\?.*$
acl uri_sql path_reg -i ^/api/(.*)?/sql\\?.*$
acl uri_sql path_reg -i ^/api/(.*)?/sql[?].*$

If I remove the question mark and search for the following, the regex works 
fine, but I would like for it to be more restrictive.
acl uri_sql path_reg -i ^/api/(.*)?/sql.*$

My deny line is as follows:
http-request deny if uri_sql

Can you please provide assistance?

Regards,

Chad Moomjian
Systems Administrator

OutMatch
972.233.6098 (direct)
1.800.283.6055 x116
www.outmatch.com