Encoded URL not matching path_beg or url_dec

Hello, I have a restricted_access acl applying based on a path_beg check for specific sub-pages of websites.
This works fine for web browser requests and correctly returns a 403 error, however when using an encoded url, the check is bypassed and a 200 response is received.

HAProxy is v2.2.8

I have come across the implementation of url_dec and this does not seem to work either.

Current syntax:
acl restricted_path path_beg /testpath
http-request deny if restricted_path

I have tried:
acl restricted_path path_beg,url_dec -i /testpath

  • this resulted in no pages being blocked and allowed all, both standard and encoded urls

acl restricted_path path_beg url_dec -i /testpath

  • changing to space-delimited meant that standard urls were blocked again but encoded urls still pass

acl restricted_path path_beg url_dec /testpath

  • no change

acl restricted_path path_beg url_dec -m /testpath

  • no change

acl restricted_path path url_dec -i beg /testpath

  • no change

The documentation on url_dec is very light in the manual - does anyone have a working example that would successfully block (return 403) requests as follows?

testing examples:

The testing example didn’t quite work as the html was decoded in this post.

The ‘h’ in the second example should be replaced with % 6 8

We believe we have found a solution for this.
To benefit others with the same issue, our fix is here:

acl restricted_path path_beg,url_dec -m beg -i i /testpath

There is an experimental feature in Haproxy 2.4 that helps with URI normalization for this exact purpose, this could be handy: