Allowing only some paths - not working as planned

Hi all

I’m having some issues with an ACL that’s not working as intended. I have a service and I want to only allow very specific paths to be accessed. For example I want to allow access to www.mysite.com/hello but not www.mysite.com/bye. However, I’m getting 403 forbidden even on /hello. Can someone help me with the syntax? For example, if I wanted to grant access to only these resources:

www.mysite.com/hello
www.mysite.com/images
www.mysite.com/page?id=parameters
www.mysite.com/page?id=ok
www.mysite.com/page?id=test

I created the below:

acl myhost_host hdr(host) -i www.mysite.com

acl myhost_allowed_uri_paths path_beg,url_dec -i -m beg /hello | /images
acl myhost_allowed_uri_pages path_beg,url_dec -i -m beg /page
acl myhost_allowed_parm urlp(id) parameters | test | ok

http-request deny if myhost_host !myhost_allowed_uri_paths
http-request deny if myhost_host !myhost_allowed_uri_pages !myhost_allowed_parm

First of all you don’t separate multiple entries with a pipe. You just specify them.

Wrong:

/hello | /images

Correct:

/hello /images

Also:

path_beg,url_dec -i -m beg

looks wrong.

Either you are url decoding the path and matching the beginning of it:

path,url_dec -i -m beg

Or just use path_beg directly:

path_beg -i /a /b /c

Second of all, there are logic flaws in your configuration, just redo it all with the opposite logic, it becomes way easier this way:

http-request allow if myhost_host myhost_allowed_uri_paths
http-request allow if myhost_host myhost_allowed_uri_pages myhost_allowed_parm
http-request deny

If you only want to deny on this particular host, replace the last line with:

http-request deny if myhost_host