Re: SV: SV: Troubles with AND in acl
Henning, hoping I understand your questions correctly. On 1/7/22 12:07 AM, Henning Svane wrote: I have multiple test of the type http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i /microsoft-server-activesync } Do I do all the test and at the end for the frontend block I'm afraid I don't understand that question. Make the http-request tarpit if { var(txn.xmail_eas || txn.xmail_xxx) -m bool } This is not valid syntax. Or should I do a http-request tarpit if { var(txn.xmail_eas) -m bool } for each test and exit from the frontend block from there. Normally when I code in c/c++ I prefere only to have one return in the procedure, but what is best way in HAProxy because I will make a lot of unnecessary test. I don't understand what you mean my "a lot of unnecessary tests". Also will a http-request tarpit if { var(txn.xmail_eas ) -m bool } Work like a return so it exit from the frontend? http-request tarpit is documented that it: > This stops the evaluation of the rules So no further rules will be processed once 'tarpit' is executed. Best regards Tim Düsterhus
SV: SV: Troubles with AND in acl
Hi Tim What is best practis HAProxy? I have multiple test of the type http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i /microsoft-server-activesync } Do I do all the test and at the end for the frontend block Make the http-request tarpit if { var(txn.xmail_eas || txn.xmail_xxx) -m bool } Or should I do a http-request tarpit if { var(txn.xmail_eas) -m bool } for each test and exit from the frontend block from there. Normally when I code in c/c++ I prefere only to have one return in the procedure, but what is best way in HAProxy because I will make a lot of unnecessary test. Also will a http-request tarpit if { var(txn.xmail_eas ) -m bool } Work like a return so it exit from the frontend? Regards Henning -Oprindelig meddelelse- Fra: Tim Düsterhus Sendt: 2. januar 2022 17:04 Til: Henning Svane ; Aleksandar Lazic ; haproxy@formilux.org Emne: Re: SV: Troubles with AND in acl Henning, On 1/2/22 4:00 PM, Henning Svane wrote: > This can be parsed > acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail but > this will not acl XMail_EAS XMail && url_beg -i > /microsoft-server-activesync error detected while parsing ACL > 'XMail_EAS' : unknown fetch method 'XMail' in ACL expression 'XMail'. HAProxy does not support logical conjunctions within an ACL definition. You can use a variable as a workaround: http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i /microsoft-server-activesync } http-request tarpit if { var(txn.xmail_eas) -m bool } Best regards Tim Düsterhus
Re: SV: Troubles with AND in acl
Henning, On 1/2/22 4:00 PM, Henning Svane wrote: This can be parsed acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail but this will not acl XMail_EAS XMail && url_beg -i /microsoft-server-activesync error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'XMail' in ACL expression 'XMail'. HAProxy does not support logical conjunctions within an ACL definition. You can use a variable as a workaround: http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i /microsoft-server-activesync } http-request tarpit if { var(txn.xmail_eas) -m bool } Best regards Tim Düsterhus
SV: Troubles with AND in acl
Hi Aleksandar Thanks that help, but still gives me problems This can be parsed acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail but this will not acl XMail_EAS XMail && url_beg -i /microsoft-server-activesync error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'XMail' in ACL expression 'XMail'. But when the parser accepts acl XMail_EAS , but not acl XMail_EAS_NoAccess, and I have tried with or without surrounding { } acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail acl XMail_EAS_NoAccess { url_beg -i /microsoft-server-activesync } && { status 401 || status 403 } http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if XMail_EAS_NoAccess http-request tarpit deny_status 429 if XMail_EAS && { sc_http_req_rate(1) gt 10 } [ALERT](436347) : config : parsing [/home/odin/haproxy01.cfg:108] : error detected while parsing ACL 'XMail_EAS_NoAccess' : missing fetch method in ACL expression '{'. [ALERT](436347) : config : parsing [/home/odin/haproxy01.cfg:110] : error detected while parsing an 'http-request track-sc1' condition : no such ACL : 'XMail_EAS_NoAccess'. Also is there a way to create constants so instead of writing 10 in many lines I could use a constant which have the value 10. I hope you can help me understand what I do wrong here. To your question to the version I use: Haproxy -vv HAProxy version 2.5.0-1ppa1~focal 2021/11/26 - https://haproxy.org/ Status: stable branch - will stop receiving fixes around Q1 2023. Known bugs: http://www.haproxy.org/bugs/bugs-2.5.0.html Running on: Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 Build options : TARGET = linux-glibc CPU = generic CC = cc CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-IUgeIz/haproxy-2.5.0=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_SYSTEMD=1 USE_PROMEX=1 DEBUG = Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=2). Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with Lua version : Lua 5.3.3 Built with the Prometheus exporter as a service Built with network namespace support. Built with libslz for stateless compression. Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Support for malloc_trim() is enabled. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with PCRE2 version : 10.34 2019-11-21 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with gcc compiler version 9.3.0 Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as cannot be specified using 'proto' keyword) h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG fcgi : mode=HTTP side=BEmux=FCGI flags=HTX|HOL_RISK|NO_UPG : mode=HTTP side=FE|BE mux=H1 flags=HTX h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG : mode=TCPside=FE|BE mux=PASS flags= none : mode=TCPside=FE|BE mux=PASS flags=NO_UPG Available services : prometheus-exporter Available filters : [SPOE] spoe [CACHE] cache [FCGI] fcgi-app [COMP] compression [TRACE] trace Regards Henning -Oprindelig meddelelse- Fra: Aleksandar Lazic Sendt: 2. januar 2022 00:49 Til: Henning Svane ; haproxy@formilux.org Emne: Re: Troubles with AND in acl Hi. On 01.01.22 20:56, Henning Svane wrote: > Hi > &g
Re: Troubles with AND in acl
Hi. On 01.01.22 20:56, Henning Svane wrote: Hi I have used it for some time in PFsense, but know made a Linux installation and now the configuration give me some troubles. What have I done wrong here below? As I cannot see what I should have done different, but sudo haproxy -c -f /etc/haproxy/haproxy01.cfg gives the following errors error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'if' in ACL expression 'if'. error detected while parsing an 'http-request track-sc1' condition : unknown fetch method 'XMail_EAS' in ACL expression 'XMail_EAS'. I have tried with { } around but that did not help "if" is not a valid keyword for "acl" line. http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7 Configuration: bind 10.40.61.10:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem alpn h2,http/1.1 acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com http-request redirect scheme https code 301 if !{ ssl_fc } acl XMail_EAS if XMail AND {url_beg -i /microsoft-server-activesync} This works. acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com acl MS_ACT url_beg -i /microsoft-server-activesync http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if XMail MS_ACT The AND is implicit. http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7.2 http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if { XMail_EAS } { status 401 } { status 403 } http-request tarpit deny_status 429 if { XMail_EAS} { sc_http_req_rate(1) gt 10 } Please can you share some more information's. haproxy -vv Regards Henning Regards Alex
Troubles with AND in acl
Hi I have used it for some time in PFsense, but know made a Linux installation and now the configuration give me some troubles. What have I done wrong here below? As I cannot see what I should have done different, but sudo haproxy -c -f /etc/haproxy/haproxy01.cfg gives the following errors error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'if' in ACL expression 'if'. error detected while parsing an 'http-request track-sc1' condition : unknown fetch method 'XMail_EAS' in ACL expression 'XMail_EAS'. I have tried with { } around but that did not help Configuration: bind 10.40.61.10:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem alpn h2,http/1.1 acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com http-request redirect scheme https code 301 if !{ ssl_fc } acl XMail_EAS if XMail AND {url_beg -i /microsoft-server-activesync} http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if { XMail_EAS } { status 401 } { status 403 } http-request tarpit deny_status 429 if { XMail_EAS} { sc_http_req_rate(1) gt 10 } Regards Henning