HAProxy community

Building ACLs using others ACLs

Is it possible to create the new ACL using others ACL? For example:

acl is_site1 path_dir /site1
acl is_site2 path_dir /site2

The third ACL would take the value in pseudocode like NOT (is_site1 OR is_site2).

My attempts finished with “unknown fetch method” error.

I’ve never come across any example in HAProxy Configuration Manual how to fetch the value of ACLs.

Hi,

ACLs are meant to return Boolean values (TRUE or FALSE) depending on the condition. You may definitely use logical operators (AND, OR, NOT) with multiple ACLs to form a complex condition in an action statement but you simply cannot use the same in an ACL statement.

I would suggest you to use “NOT (is_site1 OR is_site2)” directly in an action statement rather than using it to set a new ACL.
The expression you intend to evaluate is "!(A || B)" which is logically equivalent to "!A && !B". Therefore you may use the condition in an action statement as shown below:

http-request deny if !is_site1 !is_site2

If there’s something different that you intend to achieve then please do let me know ?

Thanks,
Shivharsh

My lab test looks like (I enclose the part of the configuration file):

backend http-bck
    server nginx 127.0.0.1:8080 maxconn 1024
    server nginx1 127.0.0.1:8081 maxconn 1024
    server nginx2 127.0.0.1:8082 maxconn 1024
    server nginx3 127.0.0.1:8083 maxconn 1024

    acl is_srv1 path_dir /site1
    acl is_srv2 path_dir /site2
    acl is_srv3 path_dir /site3

    use-server nginx1 if is_srv1
    use-server nginx2 if is_srv2
    use-server nginx3 if is_srv3
    use-server nginx unless is_srv1 is_srv2 is_srv3

It works as desired - the traffic properly spreads among four servers. Only from aesthetic point of view I wanted to replace the last rule with:

use-server nginx if is_other

My attempts to assign is_other ACL as:

acl is_other !{ is_srv1 is_srv2 is_srv3 }

or

acl is_other !(is_srv1 or is_srv2 or is_srv3)

or

acl is_other !(is_srv1 || is_srv2 || is_srv3)

failed. So your answer:

… but you simply cannot use the same in an ACL statement.

confirm it’s impossible.

Thanks for information. I appreciate it.