Re: ACL ordering/processing
On 16/07/2014 08:31 πμ, Baptiste wrote: > On Tue, Jul 15, 2014 at 7:14 PM, Pavlos Parissis > wrote: >> On 15/07/2014 05:49 μμ, Baptiste wrote: >>> On Tue, Jul 15, 2014 at 12:40 AM, bjun...@gmail.com >>> wrote: Hi folks, I've a question regarding the ordering/processing of ACL's. Example (HAProxy 1.4.24): frontend http_in . . acl is_example.com hdr_beg(host) -i example.com acl check_id url_reg code=(1001|1002|) acl check_id url_reg code=(3000|4001|) use_backend node01 if is_example.com check_id acl is_example.de hdr_beg(host) -i example.de acl check_id url_reg code=(6573|7890) use_backend node02 if is_example.de check_id I assumed that the "check_id" - ACL from the second block wouldn't be combined/OR'ed with the 2 "check_id" - ACL's from the first block (because of the other configuration statements in between). But they are combined/OR'ed, is this behavior intended ? Thanks, --- Bjoern >>> >>> Hi Bjoern, >>> >>> ACLs are processed only if they are called by a directive. >>> When many ACLs are called by a directive, an implicit logical AND is >>> applied. >>> an explicit logical OR can be declared as well >>> when a AND is applied between many ACLs, HAProxy stops processing them >>> as soon as one is wrong >>> when a OR is applied between many ACLs, HAProxy stops processing them >>> as soon as one is true >>> >>> some ACLs are cheaper to run than other, make your choice :) >>> >>> Side note, to avoid any mistake in your conf: >>> acl is_example.de hdr_beg(host) -i example.de >>> => this will match http://example.de/path/path/blah.php >>> or http://example.de.google.com/path/path/blah.php >>> >>> you might want to match this: >>> acl is_example.de hdr_end(host) -i example.de >>> >> >> >> Is URI part of Host header? >> >> Cheers, >> Pavlos >> >> >> > > Hi Pavlos, > > not at all, sorry for confusing. I wasn't confused, just checking that there isn't any specific 'thing' in HAProxy which will add URI in the specific header, I never thought it will be such thing. > Your browser should split your URL in 2 parts: > - Host header containing the hostname of the service > - url path > > http://my.domain.tld/path will be sent as > > GET /path HTTP/1.1 > Host: my.domain.tld > > > Baptiste > signature.asc Description: OpenPGP digital signature
Re: ACL ordering/processing
On Tue, Jul 15, 2014 at 7:14 PM, Pavlos Parissis wrote: > On 15/07/2014 05:49 μμ, Baptiste wrote: >> On Tue, Jul 15, 2014 at 12:40 AM, bjun...@gmail.com >> wrote: >>> Hi folks, >>> >>> >>> I've a question regarding the ordering/processing of ACL's. >>> >>> >>> >>> Example (HAProxy 1.4.24): >>> >>> >>> >>> >>> frontend http_in >>> . >>> . >>> >>> >>> acl is_example.com hdr_beg(host) -i example.com >>> >>> acl check_id url_reg code=(1001|1002|) >>> >>> acl check_id url_reg code=(3000|4001|) >>> >>> use_backend node01 if is_example.com check_id >>> >>> >>> >>> acl is_example.de hdr_beg(host) -i example.de >>> >>> acl check_id url_reg code=(6573|7890) >>> >>> use_backend node02 if is_example.de check_id >>> >>> >>> >>> >>> >>> >>> I assumed that the "check_id" - ACL from the second block wouldn't be >>> combined/OR'ed with the 2 "check_id" - ACL's from the first block >>> (because of the other configuration statements in between). >>> >>> >>> >>> But they are combined/OR'ed, is this behavior intended ? >>> >>> >>> >>> Thanks, >>> --- >>> >>> Bjoern >>> >> >> Hi Bjoern, >> >> ACLs are processed only if they are called by a directive. >> When many ACLs are called by a directive, an implicit logical AND is applied. >> an explicit logical OR can be declared as well >> when a AND is applied between many ACLs, HAProxy stops processing them >> as soon as one is wrong >> when a OR is applied between many ACLs, HAProxy stops processing them >> as soon as one is true >> >> some ACLs are cheaper to run than other, make your choice :) >> >> Side note, to avoid any mistake in your conf: >> acl is_example.de hdr_beg(host) -i example.de >> => this will match http://example.de/path/path/blah.php >> or http://example.de.google.com/path/path/blah.php >> >> you might want to match this: >> acl is_example.de hdr_end(host) -i example.de >> > > > Is URI part of Host header? > > Cheers, > Pavlos > > > Hi Pavlos, not at all, sorry for confusing. Your browser should split your URL in 2 parts: - Host header containing the hostname of the service - url path http://my.domain.tld/path will be sent as GET /path HTTP/1.1 Host: my.domain.tld Baptiste
Re: ACL ordering/processing
On 15/07/2014 05:49 μμ, Baptiste wrote: > On Tue, Jul 15, 2014 at 12:40 AM, bjun...@gmail.com wrote: >> Hi folks, >> >> >> I've a question regarding the ordering/processing of ACL's. >> >> >> >> Example (HAProxy 1.4.24): >> >> >> >> >> frontend http_in >> . >> . >> >> >> acl is_example.com hdr_beg(host) -i example.com >> >> acl check_id url_reg code=(1001|1002|) >> >> acl check_id url_reg code=(3000|4001|) >> >> use_backend node01 if is_example.com check_id >> >> >> >> acl is_example.de hdr_beg(host) -i example.de >> >> acl check_id url_reg code=(6573|7890) >> >> use_backend node02 if is_example.de check_id >> >> >> >> >> >> >> I assumed that the "check_id" - ACL from the second block wouldn't be >> combined/OR'ed with the 2 "check_id" - ACL's from the first block >> (because of the other configuration statements in between). >> >> >> >> But they are combined/OR'ed, is this behavior intended ? >> >> >> >> Thanks, >> --- >> >> Bjoern >> > > Hi Bjoern, > > ACLs are processed only if they are called by a directive. > When many ACLs are called by a directive, an implicit logical AND is applied. > an explicit logical OR can be declared as well > when a AND is applied between many ACLs, HAProxy stops processing them > as soon as one is wrong > when a OR is applied between many ACLs, HAProxy stops processing them > as soon as one is true > > some ACLs are cheaper to run than other, make your choice :) > > Side note, to avoid any mistake in your conf: > acl is_example.de hdr_beg(host) -i example.de > => this will match http://example.de/path/path/blah.php > or http://example.de.google.com/path/path/blah.php > > you might want to match this: > acl is_example.de hdr_end(host) -i example.de > Is URI part of Host header? Cheers, Pavlos signature.asc Description: OpenPGP digital signature
Re: ACL ordering/processing
On Tue, Jul 15, 2014 at 12:40 AM, bjun...@gmail.com wrote: > Hi folks, > > > I've a question regarding the ordering/processing of ACL's. > > > > Example (HAProxy 1.4.24): > > > > > frontend http_in > . > . > > > acl is_example.com hdr_beg(host) -i example.com > > acl check_id url_reg code=(1001|1002|) > > acl check_id url_reg code=(3000|4001|) > > use_backend node01 if is_example.com check_id > > > > acl is_example.de hdr_beg(host) -i example.de > > acl check_id url_reg code=(6573|7890) > > use_backend node02 if is_example.de check_id > > > > > > > I assumed that the "check_id" - ACL from the second block wouldn't be > combined/OR'ed with the 2 "check_id" - ACL's from the first block > (because of the other configuration statements in between). > > > > But they are combined/OR'ed, is this behavior intended ? > > > > Thanks, > --- > > Bjoern > Hi Bjoern, ACLs are processed only if they are called by a directive. When many ACLs are called by a directive, an implicit logical AND is applied. an explicit logical OR can be declared as well when a AND is applied between many ACLs, HAProxy stops processing them as soon as one is wrong when a OR is applied between many ACLs, HAProxy stops processing them as soon as one is true some ACLs are cheaper to run than other, make your choice :) Side note, to avoid any mistake in your conf: acl is_example.de hdr_beg(host) -i example.de => this will match http://example.de/path/path/blah.php or http://example.de.google.com/path/path/blah.php you might want to match this: acl is_example.de hdr_end(host) -i example.de Baptiste
Re: ACL ordering/processing
Hi, Le 15/07/2014 00:40, bjun...@gmail.com a écrit : Hi folks, I've a question regarding the ordering/processing of ACL’s. Example (HAProxy 1.4.24): frontend http_in acl is_example.com hdr_beg(host) -i example.com acl check_id url_reg code=(1001|1002|) acl check_id url_reg code=(3000|4001|) use_backend node01 if is_example.com check_id acl is_example.de hdr_beg(host) -i example.de acl check_id url_reg code=(6573|7890) use_backend node02 if is_example.de check_id I assumed that the “check_id” - ACL from the second block wouldn’t be combined/OR’ed with the 2 “check_id” - ACL’s from the first block (because of the other configuration statements in between). But they are combined/OR’ed, is this behavior intended ? Yes, it is ;-) acl scope is global to the frontend/backend where it has been declared. -- Cyril Bonté
ACL ordering/processing
Hi folks, I've a question regarding the ordering/processing of ACL’s. Example (HAProxy 1.4.24): frontend http_in . . acl is_example.com hdr_beg(host) -i example.com acl check_id url_reg code=(1001|1002|) acl check_id url_reg code=(3000|4001|) use_backend node01 if is_example.com check_id acl is_example.de hdr_beg(host) -i example.de acl check_id url_reg code=(6573|7890) use_backend node02 if is_example.de check_id I assumed that the “check_id” - ACL from the second block wouldn’t be combined/OR’ed with the 2 “check_id” - ACL’s from the first block (because of the other configuration statements in between). But they are combined/OR’ed, is this behavior intended ? Thanks, --- Bjoern
