Hi,
I am attempting an ACL rule that will check if my src value from the client’s request or txn.source_ip can be found within my txn.token_payload variable if possible. Hardcoded values seems to be working, however variables seems to not be working.
I am currently using HAProxy 2.6 and I am not able to add a new LUA script at this point, so would like to perform this task via simple ACLs if possible.
Config that works:
frontend test-443
# Binding
bind *:443
## Validate Allowed Origins If Exists
### Decode Token Payload
http-request set-var(txn.token_payload) req.hdr(Authorization),word(2,.),ub64dec
### Check If allowed-origins is available in token_payload packet
acl allowed_origins_in_payload var(txn.token_payload) -m found -m sub allowed-origins
### Check if the src field can be found within the token_payload variable if the allowed-origins field exists
acl src_found_in_allowed_origins var(txn.token_payload) -m found -m sub 172.1.1.1 if allowed_origins_in_payload
### Deny the request if the allowed-origins field exists but the client source can't be found within it
http-request deny content-type 'text/html' string 'Host was not found in allowed_origins' if allowed_origins_in_payload !src_found_in_allowed_origins
# Backend Endpoint
use_backend backup
backend backup
# Server Endpoint
default-server check
server test backup:12345
Config that does not work:
frontend test-443
# Binding
bind *:443
## Validate Allowed Origins If Exists
### Decode Token Payload
http-request set-var(txn.token_payload) req.hdr(Authorization),word(2,.),ub64dec
### Check If allowed-origins is available in token_payload packet
acl allowed_origins_in_payload var(txn.token_payload) -m found -m sub allowed-origins
### Check if the src field can be found within the token_payload variable if the allowed-origins field exists
acl src_found_in_allowed_origins var(txn.token_payload) -m found -m sub src if allowed_origins_in_payload
### Deny the request if the allowed-origins field exists but the client source can't be found within it
http-request deny content-type 'text/html' string 'Host was not found in allowed_origins' if allowed_origins_in_payload !src_found_in_allowed_origins
# Backend Endpoint
use_backend backup
backend backup
# Server Endpoint
default-server check
server test backup:12345
Example Client Source:
172.1.1.1
Example JWT Token Payload:
{
"exp": 1713905722,
"iat": 1713905422,
"jti": "12345",
"iss": "http://172.2.2.2:443/realms/test",
"aud": "/api/test",
"sub": "wvwcwecwc-fbevopm-vwv-vwevew-vwvwevwev",
"typ": "Bearer",
"azp": "test",
"allowed-origins": [
"192.168.1.1",
"172.1.1.1"
],
"scope": "test-api",
"clientHost": "172.2.2.2",
"clientAddress": "172.2.2.2",
"client_id": "test"
}
HAProxy Version:
2.6.5-987a4e2