Cannot configure ACL

KenynMacCormik · June 25, 2019, 3:10pm

Hi, on my installation of HAproxy

[root@haproxy1 haproxy]# rpm -qa | grep haproxy
haproxy18u-1.8.19-1.ius.centos7.x86_64

the following ACLs are working

frontend web_frt
        acl     not_https       ssl_fc,not
        acl     is_ecp          path_beg        -m beg -i /ecp/
        acl     is_healthcheck  path_beg        -m end -i healthcheck.htm

        http-response   deny                            if is_ecp
        http-response   deny                            if is_healthcheck
        http-request    redirect scheme https code 301  if not_https

But on newer version

[root@LB1 haproxy]# rpm -qa | grep haproxy
haproxy18u-1.8.20-1.el7.ius.x86_64

I get an error

Jun 25 17:30:12 LB1 haproxy[18640]: [WARNING] 175/173012 (18640) : parsing [/etc/haproxy/haproxy.cfg:90] : acl 'is_ecp' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'
Jun 25 17:30:12 LB1 haproxy[18640]: [WARNING] 175/173012 (18640) : parsing [/etc/haproxy/haproxy.cfg:91] : acl 'is_healthcheck' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'

Any idea why this is happening?

lukastribus · June 25, 2019, 4:34pm

A response does not contain an URI/path.

You need to deny the request, not the response, so the config should be like:

http-request   deny                            if is_ecp
http-request   deny                            if is_healthcheck

KenynMacCormik · June 27, 2019, 8:28pm

Hi,

Thank you very much for your reply. I’ve found another your post and made the following code. I seems working

 acl     is_autodiscover hdr(host)       -m str -i autodiscover.crpt.ru
        acl     is_rpc          var(txn.path)   -m beg -i /rpc/
        acl     is_owa          var(txn.path)   -m beg -i /owa/
        acl     is_ews          var(txn.path)   -m beg -i /ews/
        acl     is_oab          var(txn.path)   -m beg -i /oab/
        acl     is_eas          var(txn.path)   -m beg -i /eas/
        acl     is_mapi         var(txn.path)   -m beg -i /mapi/
        acl     is_ecp          var(txn.path)   -m beg -i /ecp/
        acl     is_healthcheck  var(txn.path)   -m end -i healthcheck.htm

        http-response   deny                            if is_ecp
        http-response   deny                            if is_healthcheck

        http-request    redirect scheme https code 301  if !{ ssl_fc }
        http-request    set-var(txn.path)               path

        use_backend     autodiscover_bck                if is_autodiscover
        use_backend     rpc_bck                         if is_rpc
        use_backend     owa_bck                         if is_owa
        use_backend     ews_bck                         if is_ews
        use_backend     oab_bck                         if is_oab
        use_backend     eas_bck                         if is_eas
        use_backend     mapi_bck                        if is_mapi

Topic		Replies	Views
ACL trouble, only works if I negate the ACL in the if statement Help!	5	485	October 26, 2021
Query string not matching in ACL Help!	1	2178	February 22, 2017
Newbie setting up a not to easy proxy Help!	4	1007	February 18, 2019
Troubles with AND in acl Help!	1	1006	January 2, 2022
HAProxy acl and maps Help!	1	1116	December 5, 2019

Cannot configure ACL

Related Topics