ACL multiple fetches

Hi all,

I’m trying to create an ACL with 2 fetches, similar to this post here: Anonymous ACL - Multiple AND Conditions Not Evaluted

In my example:

http-request set-var(txn.endpoint)  req.hdr(Host)
http-request set-var(txn.origin) req.hdr(Origin)

acl is_allowed_entrypoint_origin var(txn.endpoint) -i  endpoint.domain.com var(txn.origin) -i -m end -f allowed_origins.acl

http-request use-service lua.forbidden unless is_allowed_entrypoint_origin

Inside my allowed_origins.acl file I have:

potatos.com
apples.com

Now if I query the endpoint endpoint.domain.com I was expecting to get a 403 if the request wasn’t originated by the 2 origins listed in my acl, however I get a 200 response for every frontend I query it from.

Note: I know I could simplify it by just allowing certain origins to every endpoint on haproxy, however I have multiple endpoints in my setup and I’d like to have a different list of allowed origins for each.

I guess I’m not able to do such thing in a single ACL unfortunately

Reference: ACL condition with AND - #11 by lucid_thayne

This ACL is invalid (semantically). If you want an “and” between the two var(...), you need to define two ACL’s and reference them in the rule:

acl is_allowed_entrypoint_origin_a var(txn.endpoint) -i  endpoint.domain.com
acl is_allowed_entrypoint_origin_b var(txn.origin) -i -m end -f allowed_origins.acl

http-request use-service lua.forbidden unless is_allowed_entrypoint_origin_a is_allowed_entrypoint_origin_b

(BTW, if you define the same ACL twice, it becomes an “or”.)

If you want an “and” between the two var(...) , you need to define two ACL’s and reference them in the rule:

This becomes rather painful when you have several actions that are gated on the same condition. I wish haproxy had some mechanism to re-use a condition. Like a fetch that returns the result of a condition, or a macro for a condition that can be used in if/unless clauses.

You can always define a variable and set it to a particular value if certain ACL’s are met, and then use that variable in a single ACL.

Although I understand your issue with the HAProxy ACL language.

However, for the same reasons, I’ve ended-up writing a HAProxy “configurator” in Python (https://github.com/cipriancraciun/haproxy-configurator), where I call some simple Python functions, that then create the rest of the configuration. For example:

• the Python code – https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/http-harden-standard.py
• the resulting HAProxy configuration – https://github.com/cipriancraciun/haproxy-configurator/blob/master/examples/_configs/http-harden-standard.cfg

My point is this: if one starts having complex HAProxy configurations, perhaps one should create some DSL to generate them.