Re: SV: SV: Troubles with AND in acl
Henning,
hoping I understand your questions correctly.
On 1/7/22 12:07 AM, Henning Svane wrote:
I have multiple test of the type
http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i
/microsoft-server-activesync }
Do I do all the test and at the end for the frontend block
I'm afraid I don't understand that question.
Make the http-request tarpit if { var(txn.xmail_eas || txn.xmail_xxx) -m bool }
This is not valid syntax.
Or should I do a
http-request tarpit if { var(txn.xmail_eas) -m bool }
for each test and exit from the frontend block from there.
Normally when I code in c/c++ I prefere only to have one return in the
procedure, but what is best way in HAProxy because I will make a lot of
unnecessary test.
I don't understand what you mean my "a lot of unnecessary tests".
Also will a http-request tarpit if { var(txn.xmail_eas ) -m bool }
Work like a return so it exit from the frontend?
http-request tarpit is documented that it:
> This stops the evaluation of the rules
So no further rules will be processed once 'tarpit' is executed.
Best regards
Tim Düsterhus
SV: SV: Troubles with AND in acl
Hi Tim
What is best practis HAProxy?
I have multiple test of the type
http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i
/microsoft-server-activesync }
Do I do all the test and at the end for the frontend block
Make the http-request tarpit if { var(txn.xmail_eas || txn.xmail_xxx) -m bool }
Or should I do a
http-request tarpit if { var(txn.xmail_eas) -m bool }
for each test and exit from the frontend block from there.
Normally when I code in c/c++ I prefere only to have one return in the
procedure, but what is best way in HAProxy because I will make a lot of
unnecessary test.
Also will a http-request tarpit if { var(txn.xmail_eas ) -m bool }
Work like a return so it exit from the frontend?
Regards
Henning
-Oprindelig meddelelse-
Fra: Tim Düsterhus
Sendt: 2. januar 2022 17:04
Til: Henning Svane ; Aleksandar Lazic ;
haproxy@formilux.org
Emne: Re: SV: Troubles with AND in acl
Henning,
On 1/2/22 4:00 PM, Henning Svane wrote:
> This can be parsed
> acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail but
> this will not acl XMail_EAS XMail && url_beg -i
> /microsoft-server-activesync error detected while parsing ACL
> 'XMail_EAS' : unknown fetch method 'XMail' in ACL expression 'XMail'.
HAProxy does not support logical conjunctions within an ACL definition.
You can use a variable as a workaround:
http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i
/microsoft-server-activesync } http-request tarpit if { var(txn.xmail_eas) -m
bool }
Best regards
Tim Düsterhus
Re: SV: Troubles with AND in acl
Henning,
On 1/2/22 4:00 PM, Henning Svane wrote:
This can be parsed
acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail
but this will not
acl XMail_EAS XMail && url_beg -i /microsoft-server-activesync
error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'XMail' in
ACL expression 'XMail'.
HAProxy does not support logical conjunctions within an ACL definition.
You can use a variable as a workaround:
http-request set-var(txn.xmail_eas) bool(1) if XMail { url_beg -i
/microsoft-server-activesync }
http-request tarpit if { var(txn.xmail_eas) -m bool }
Best regards
Tim Düsterhus
SV: Troubles with AND in acl
Hi Aleksandar
Thanks that help, but still gives me problems
This can be parsed
acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail
but this will not
acl XMail_EAS XMail && url_beg -i /microsoft-server-activesync
error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'XMail' in
ACL expression 'XMail'.
But when the parser accepts acl XMail_EAS , but not acl XMail_EAS_NoAccess, and
I have tried with or without surrounding { }
acl XMail_EAS url_beg -i /microsoft-server-activesync && XMail
acl XMail_EAS_NoAccess { url_beg -i /microsoft-server-activesync } && {
status 401 || status 403 }
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if
XMail_EAS_NoAccess
http-request tarpit deny_status 429 if XMail_EAS && {
sc_http_req_rate(1) gt 10 }
[ALERT](436347) : config : parsing [/home/odin/haproxy01.cfg:108] : error
detected while parsing ACL 'XMail_EAS_NoAccess' : missing fetch method in ACL
expression '{'.
[ALERT](436347) : config : parsing [/home/odin/haproxy01.cfg:110] : error
detected while parsing an 'http-request track-sc1' condition : no such ACL :
'XMail_EAS_NoAccess'.
Also is there a way to create constants so instead of writing 10 in many lines
I could use a constant which have the value 10.
I hope you can help me understand what I do wrong here.
To your question to the version I use:
Haproxy -vv
HAProxy version 2.5.0-1ppa1~focal 2021/11/26 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2023.
Known bugs: http://www.haproxy.org/bugs/bugs-2.5.0.html
Running on: Linux 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021
x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -O2 -fdebug-prefix-map=/build/haproxy-IUgeIz/haproxy-2.5.0=.
-fstack-protector-strong -Wformat -Werror=format-security -Wdate-time
-D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after-statement -fwrapv
-Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers
-Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2
-Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1
USE_SYSTEMD=1 USE_PROMEX=1
DEBUG =
Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT
+POLL +THREAD +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY
+LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM
-ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL
+SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC
+PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=2).
Built with OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
Running on OpenSSL version : OpenSSL 1.1.1f 31 Mar 2020
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Support for malloc_trim() is enabled.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with PCRE2 version : 10.34 2019-11-21
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 9.3.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2
flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BEmux=FCGI
flags=HTX|HOL_RISK|NO_UPG
: mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
: mode=TCPside=FE|BE mux=PASS flags=
none : mode=TCPside=FE|BE mux=PASS flags=NO_UPG
Available services : prometheus-exporter
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
Regards
Henning
-Oprindelig meddelelse-
Fra: Aleksandar Lazic
Sendt: 2. januar 2022 00:49
Til: Henning Svane ; haproxy@formilux.org
Emne: Re: Troubles with AND in acl
Hi.
On 01.01.22 20:56, Henning Svane wrote:
> Hi
>
&g
Re: Troubles with AND in acl
Hi.
On 01.01.22 20:56, Henning Svane wrote:
Hi
I have used it for some time in PFsense, but know made a Linux installation and now the configuration
give me some troubles.
What have I done wrong here below?
As I cannot see what I should have done different, but sudo haproxy -c -f /etc/haproxy/haproxy01.cfg
gives the following errors
error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'if' in ACL
expression 'if'.
error detected while parsing an 'http-request track-sc1' condition : unknown fetch method 'XMail_EAS'
in ACL expression 'XMail_EAS'.
I have tried with { } around but that did not help
"if" is not a valid keyword for "acl" line.
http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7
Configuration:
bind 10.40.61.10:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem alpn
h2,http/1.1
acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com
http-request redirect scheme https code 301 if !{ ssl_fc }
acl XMail_EAS if XMail AND {url_beg -i /microsoft-server-activesync}
This works.
acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com
acl MS_ACT url_beg -i /microsoft-server-activesync
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if XMail MS_ACT
The AND is implicit.
http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7.2
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if { XMail_EAS } {
status 401 } { status 403 }
http-request tarpit deny_status 429 if { XMail_EAS} { sc_http_req_rate(1) gt
10 }
Please can you share some more information's.
haproxy -vv
Regards
Henning
Regards
Alex
Troubles with AND in acl
Hi
I have used it for some time in PFsense, but know made a Linux installation and
now the configuration give me some troubles.
What have I done wrong here below?
As I cannot see what I should have done different, but sudo haproxy -c -f
/etc/haproxy/haproxy01.cfg gives the following errors
error detected while parsing ACL 'XMail_EAS' : unknown fetch method 'if' in ACL
expression 'if'.
error detected while parsing an 'http-request track-sc1' condition : unknown
fetch method 'XMail_EAS' in ACL expression 'XMail_EAS'.
I have tried with { } around but that did not help
Configuration:
bind 10.40.61.10:443 ssl crt /etc/haproxy/crt/mail_domain_com.pem alpn
h2,http/1.1
acl XMail hdr(host) -i mail.domain.com autodiscover.domain.com
http-request redirect scheme https code 301 if !{ ssl_fc }
acl XMail_EAS if XMail AND {url_beg -i /microsoft-server-activesync}
http-request track-sc1 src table Table_SRC_XMail_EAS_L4 if { XMail_EAS } {
status 401 } { status 403 }
http-request tarpit deny_status 429 if { XMail_EAS} { sc_http_req_rate(1) gt
10 }
Regards
Henning
