Re: issue with acl pattern -m match on a string starting with space or containing a comma, with 1.5-dev21

2014-01-17 Thread Thierry FOURNIER
Hi,

First, you must not escape the comma character.

The fetch method hdr split multivalue header before the pattern
matching operation. The header user-agent containing comma is
processed like two headers:

   Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML

and

   like Gecko) Chrome/32.0.1700.76 Safari/537.36

If you want to apply ACL on the full value of the header, you must use
req.fhdr ('f' like 'full'). The following configuration run as expected:

   acl ACL2 req.fhdr(User-Agent) -m str Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
   reqadd ACLexact:\ 2 if ACL2

   acl ACL21 req.fhdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML
   reqadd ACLbeg:\ 1 if ACL21
   acl ACL22 req.fhdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML,
   reqadd ACLbeg:\ 2 if ACL22

   acl ACL31 req.fhdr(User-Agent) -m end like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
   reqadd ACLend:\ 1 if ACL31
   acl ACL32 req.fhdr(User-Agent) -m end \ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
   reqadd ACLend:\ 2 if ACL32
   acl ACL33 req.fhdr(User-Agent) -m end ,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
   reqadd ACLend:\ 3 if ACL33


Thierry


On Thu, 16 Jan 2014 20:54:50 +0100
PiBa-NL piba.nl@gmail.com wrote:

 Hi,
 
 Using HAProxy 1.5-dev21 i'm having trouble getting it to match my 
 user-agent with an acl that uses -m pattern matching..
 
 The browser is Chrome 31.0.1650.63 which sends useragent string:
 
 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like 
 Gecko) Chrome/32.0.1700.76 Safari/537.36
 
 My test ACLs, of which only ACL21 and ACL31 are matched with the result 
 below:
 *ACLexact*= A
 *ACLbeg*= B, 1
 *ACLend*= C, 1
 
 I would expect at least 2 the ACLbeg acls and ACL2 to be also matched, 
 also i dont understand why ACL32 is not matched as the leading space 
 seems to be correctly escaped.?
 
 The acl's used/tried..:
 
 reqadd ACLexact:\ A
 reqadd ACLbeg:\ B
 reqadd ACLend:\ C
 acl ACL1 hdr(User-Agent) Mozilla/5.0\ (Windows\ NT\ 6.1;\ WOW64)\ 
 AppleWebKit/537.36\ (KHTML\,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
 Safari/537.36
 reqadd ACLexact:\ 1 if ACL1
 acl ACL2 hdr(User-Agent) -m str Mozilla/5.0\ (Windows\ NT\ 6.1;\ WOW64)\ 
 AppleWebKit/537.36\ (KHTML\,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
 Safari/537.36
 reqadd ACLexact:\ 2 if ACL2
 
 acl ACL21 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
 WOW64)\ AppleWebKit/537.36\ (KHTML
 reqadd ACLbeg:\ 1 if ACL21
 acl ACL22 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
 WOW64)\ AppleWebKit/537.36\ (KHTML,
 reqadd ACLbeg:\ 2 if ACL22
 acl ACL23 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
 WOW64)\ AppleWebKit/537.36\ (KHTML\,
 reqadd ACLbeg:\ 3 if ACL23
 
 acl ACL31 hdr(User-Agent) -m end like\ Gecko)\ Chrome/32.0.1700.76\ 
 Safari/537.36
 reqadd ACLend:\ 1 if ACL31
 acl ACL32 hdr(User-Agent) -m end \ like\ Gecko)\ Chrome/32.0.1700.76\ 
 Safari/537.36
 reqadd ACLend:\ 2 if ACL32
 acl ACL33 hdr(User-Agent) -m end ,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
 Safari/537.36
 reqadd ACLend:\ 3 if ACL33
 acl ACL34 hdr(User-Agent) -m end \,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
 Safari/537.36
 reqadd ACLend:\ 4 if ACL34
 
 
 HAPROXY Version used:
 HA-Proxy version 1.5-dev21-6b07bf7 +2013/12/17
 Copyright 2000-2013 Willy Tarreau w...@1wt.eu
 Build options :
TARGET  = freebsd
CPU = generic
CC  = cc
CFLAGS  = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1
 
 Did i do something wrong, or can you give it a test.? Thanks.
 
 Thanks for the great product!
 Greets PiBa-NL
 



Re: issue with acl pattern -m match on a string starting with space or containing a comma, with 1.5-dev21

2014-01-17 Thread PiBa-NL

Hi,
Indeed req.fhdr(x) works for this. I should (again) have read the manual 
better.


Though the proper section is a bit harder to find a search for 
keyword  doesn't give any results.. Nevertheless i should r.t.fine.m. 
as it is very complete and correct for pretty much every option possible.


I knew that the comma didn't need escaping but started to try it anyway 
because it didn't seem to work, and so started to have a few doubts..


Sorry for the noise and thanks, again.
PiBa-NL

Thierry FOURNIER schreef op 17-1-2014 11:25:

Hi,

First, you must not escape the comma character.

The fetch method hdr split multivalue header before the pattern
matching operation. The header user-agent containing comma is
processed like two headers:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML

and

like Gecko) Chrome/32.0.1700.76 Safari/537.36

If you want to apply ACL on the full value of the header, you must use
req.fhdr ('f' like 'full'). The following configuration run as expected:

acl ACL2 req.fhdr(User-Agent) -m str Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
reqadd ACLexact:\ 2 if ACL2

acl ACL21 req.fhdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML
reqadd ACLbeg:\ 1 if ACL21
acl ACL22 req.fhdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\ 
WOW64)\ AppleWebKit/537.36\ (KHTML,
reqadd ACLbeg:\ 2 if ACL22

acl ACL31 req.fhdr(User-Agent) -m end like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
reqadd ACLend:\ 1 if ACL31
acl ACL32 req.fhdr(User-Agent) -m end \ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
reqadd ACLend:\ 2 if ACL32
acl ACL33 req.fhdr(User-Agent) -m end ,\ like\ Gecko)\ Chrome/32.0.1700.76\ 
Safari/537.36
reqadd ACLend:\ 3 if ACL33


Thierry


On Thu, 16 Jan 2014 20:54:50 +0100
PiBa-NL piba.nl@gmail.com wrote:


Hi,

Using HAProxy 1.5-dev21 i'm having trouble getting it to match my
user-agent with an acl that uses -m pattern matching..

The browser is Chrome 31.0.1650.63 which sends useragent string:

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/32.0.1700.76 Safari/537.36

My test ACLs, of which only ACL21 and ACL31 are matched with the result
below:
*ACLexact*= A
*ACLbeg*= B, 1
*ACLend*= C, 1

I would expect at least 2 the ACLbeg acls and ACL2 to be also matched,
also i dont understand why ACL32 is not matched as the leading space
seems to be correctly escaped.?

The acl's used/tried..:

reqadd ACLexact:\ A
reqadd ACLbeg:\ B
reqadd ACLend:\ C
acl ACL1 hdr(User-Agent) Mozilla/5.0\ (Windows\ NT\ 6.1;\ WOW64)\
AppleWebKit/537.36\ (KHTML\,\ like\ Gecko)\ Chrome/32.0.1700.76\
Safari/537.36
reqadd ACLexact:\ 1 if ACL1
acl ACL2 hdr(User-Agent) -m str Mozilla/5.0\ (Windows\ NT\ 6.1;\ WOW64)\
AppleWebKit/537.36\ (KHTML\,\ like\ Gecko)\ Chrome/32.0.1700.76\
Safari/537.36
reqadd ACLexact:\ 2 if ACL2

acl ACL21 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\
WOW64)\ AppleWebKit/537.36\ (KHTML
reqadd ACLbeg:\ 1 if ACL21
acl ACL22 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\
WOW64)\ AppleWebKit/537.36\ (KHTML,
reqadd ACLbeg:\ 2 if ACL22
acl ACL23 hdr(User-Agent) -m beg Mozilla/5.0\ (Windows\ NT\ 6.1;\
WOW64)\ AppleWebKit/537.36\ (KHTML\,
reqadd ACLbeg:\ 3 if ACL23

acl ACL31 hdr(User-Agent) -m end like\ Gecko)\ Chrome/32.0.1700.76\
Safari/537.36
reqadd ACLend:\ 1 if ACL31
acl ACL32 hdr(User-Agent) -m end \ like\ Gecko)\ Chrome/32.0.1700.76\
Safari/537.36
reqadd ACLend:\ 2 if ACL32
acl ACL33 hdr(User-Agent) -m end ,\ like\ Gecko)\ Chrome/32.0.1700.76\
Safari/537.36
reqadd ACLend:\ 3 if ACL33
acl ACL34 hdr(User-Agent) -m end \,\ like\ Gecko)\ Chrome/32.0.1700.76\
Safari/537.36
reqadd ACLend:\ 4 if ACL34


HAPROXY Version used:
HA-Proxy version 1.5-dev21-6b07bf7 +2013/12/17
Copyright 2000-2013 Willy Tarreau w...@1wt.eu
Build options :
TARGET  = freebsd
CPU = generic
CC  = cc
CFLAGS  = -O2 -pipe -fno-strict-aliasing -DFREEBSD_PORTS
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_OPENSSL=1 USE_STATIC_PCRE=1

Did i do something wrong, or can you give it a test.? Thanks.

Thanks for the great product!
Greets PiBa-NL






Re: issue with acl pattern -m match on a string starting with space or containing a comma, with 1.5-dev21

2014-01-17 Thread Cyril Bonté

Le 17/01/2014 21:06, PiBa-NL a écrit :

Though the proper section is a bit harder to find a search for
keyword  doesn't give any results..


This is in my to do list, I hope to find time to address this soon.

--
Cyril Bonté