Composing ACLs - a missed opportunity?


#1

Hi, long-term HAProxy fan here,

I have a reasonably complex configuration with a number of backends and ACL filters used for routing and access control. HAProxy is awesome, but I do not understand why ACL’s are not composable (I cannot define an ACL in terms of other ACLs). If I could compose predefined ACLs my configuration would be much simpler (and more readable), but as far as I can see there’s no simple way of doing it.

ALS are composable with ‘if’ conditions, so the logic is there, which leads me to ask if there is a specific reason for this apparent design choice?

Thanks!


#2

I think once the ACL becomes long and complex, people stop putting them in the configuration directly and load them from files instead (-f).

Also, in those cases the ACL are often not updated by hand, but automatically by some provisioning scripts.

Not sure I understand why you cannot combine the ACL in the if statements though.

Generally we keep the feature and the code as simple and straightforward as possible, instead of implementing all possible combinations of features. This is especially true for things that can be abstracted away by intelligent provisioning tools.

That said, for this kind of discussions and feature requests the mailing list is probably better suited than this discourse forum here.