HAProxy community

ACL doesn't work with multiple condition (beg_path AND

I have issue with my haproxy that running on my Ubuntu 16.04, i want to set static token to both environment on my server.

I am using path_beg and ssl_fc_sni

this is my config

frontend https
bind *:443 ssl crt /etc/ssl/mykey.pem

acl url_staging path_beg /123456
use_backend staging if { ssl_fc_sni staging.com AND url_staging }

acl url_production path_beg /789012
use_backend production if { ssl_fc_sni production.com AND url_production }

default_backend no-match

backend staging
    http-request set-path "%[path,regsub(^/123456/,/)]" # to remove the token after authenticated.
    server staging 127.0.0.1:4723

backend production
    http-request set-path "%[path,regsub(^/789012/,/)]" # to remove the token after authenticated.
    server production 127.0.0.1:4723

backend no-match  
    http-request deny deny_status 403

the problem is, when i try to visit production with staging token, it works and authenticated. production.com/123456 it will work, and vice versa.

acl staging hdr(Host) staging.com && path /123456

I did tried as per above, put both condition in the same ACL with AND expression but it getting worst, it was able to access without token.

What i want is, to authenticate staging with token/path staging which is 123456, and when i visit production must use production token/path. It should refuse when i hit endpoint production with token staging

so it will refuse connection when i try with production.com/123456.

HA-Proxy version 1.8.25-1

Thanks

Wrong statement, you need to close your anonymous ACL with }, instead you have that at the end.

Use:

acl url_staging path_beg /123456
use_backend staging if { ssl_fc_sni staging.com } AND url_staging

acl url_production path_beg /789012
use_backend production if { ssl_fc_sni production.com } AND url_production

And since AND is implicit, you can just:

acl url_staging path_beg /123456
use_backend staging if { ssl_fc_sni staging.com } url_staging

acl url_production path_beg /789012
use_backend production if { ssl_fc_sni production.com } url_production

Thanks. It works.

Anyway just want to check something with you.

You have mentioned that , AND is implicit, means that AND is default for multiple condition in HAproxy, or you referring to something else ?

Yes, that’s what I mean:

use_backend staging if { ssl_fc_sni staging.com } url_staging

is exactly the same as:

use_backend staging if { ssl_fc_sni staging.com } AND url_staging

Also see Using ACLs to form conditions.

@lukastribus Thanks for your explanation.