ACL match, rewrite and redirect


I have an frontend acl correctly matching inbound requests and forwarding these to a specific pool of servers in the backend.

frontend front_443
default_backend default-servers
acl backend-acl path -m sub BACKEND
use_backend server-group1 if backend-acl

I would like to be able to rewrite the path matched by backend-acl, specifically removing a part of the path, before sending the request on to server-group1. Is there a way to do this?


So I have found that the best way to do this is probably by using ‘http-request replace-path’ in the server-group1 backend.

I have been trying to get this to work however and it does not. I am at the point where I am just trying to match the whole path and replace it with something random, which will break the app, but will at least verify the rewrite is working but I can’t seem to get that work. Here is the backend

backend server-group1
balance roundrobin
http-request replace-path .* dummy-path
server server1

I have checked the logs and I still see the original request path being sent to the backend, it is not being replaced by ‘dummy-path’. Here is the log output

Apr 14 14:55:35 haproxy[2924]: x.x.x.x:40366 [14/Apr/2024:14:55:34.984] front_443~ server-group1/server1 0/0/13/16/29 401 319 - - ---- 2/2/0/0/0 0/0 “POST /BACKEND/auth/login HTTP/1.1”

Any suggestions why this isn’t working?

So in case it is of value to others, the replace-path setting was working I was just misinterpreting the debug output from the log above.

Seeing the log included the backend server (server1) in the log I thought the “POST /BACKEND/auth/login HTTP/1.1” was the PATH being sent to the server but it is was was received by the frontend.

A tcpdump/wireshark capture on the egress interface of the proxy showed that the path above was in fact being rewritten as expected by replace-path.