HAProxy ACL With Variable In Substring

Help!
1

Hi,

I am attempting an ACL rule that will check if my src value from the client’s request or txn.source_ip can be found within my txn.token_payload variable if possible. Hardcoded values seems to be working, however variables seems to not be working.

I am currently using HAProxy 2.6 and I am not able to add a new LUA script at this point, so would like to perform this task via simple ACLs if possible.

Config that works:

frontend test-443
  # Binding
  bind *:443

  ## Validate Allowed Origins If Exists
  ### Decode Token Payload
  http-request set-var(txn.token_payload) req.hdr(Authorization),word(2,.),ub64dec
  ### Check If allowed-origins is available in token_payload packet
  acl allowed_origins_in_payload var(txn.token_payload) -m found -m sub allowed-origins
  ### Check if the src field can be found within the token_payload variable if the allowed-origins field exists
  acl src_found_in_allowed_origins var(txn.token_payload) -m found -m sub 172.1.1.1 if allowed_origins_in_payload
  ### Deny the request if the allowed-origins field exists but the client source can't be found within it
  http-request deny content-type 'text/html' string 'Host was not found in allowed_origins' if allowed_origins_in_payload !src_found_in_allowed_origins

  # Backend Endpoint
  use_backend backup
  
backend backup

  # Server Endpoint
  default-server check
  server test backup:12345

Config that does not work:

frontend test-443
  # Binding
  bind *:443

  ## Validate Allowed Origins If Exists
  ### Decode Token Payload
  http-request set-var(txn.token_payload) req.hdr(Authorization),word(2,.),ub64dec
  ### Check If allowed-origins is available in token_payload packet
  acl allowed_origins_in_payload var(txn.token_payload) -m found -m sub allowed-origins
  ### Check if the src field can be found within the token_payload variable if the allowed-origins field exists
  acl src_found_in_allowed_origins var(txn.token_payload) -m found -m sub src if allowed_origins_in_payload
  ### Deny the request if the allowed-origins field exists but the client source can't be found within it
  http-request deny content-type 'text/html' string 'Host was not found in allowed_origins' if allowed_origins_in_payload !src_found_in_allowed_origins

  # Backend Endpoint
  use_backend backup
  
backend backup

  # Server Endpoint
  default-server check
  server test backup:12345

Example Client Source:

172.1.1.1

Example JWT Token Payload:

{
  "exp": 1713905722,
  "iat": 1713905422,
  "jti": "12345",
  "iss": "http://172.2.2.2:443/realms/test",
  "aud": "/api/test",
  "sub": "wvwcwecwc-fbevopm-vwv-vwevew-vwvwevwev",
  "typ": "Bearer",
  "azp": "test",
  "allowed-origins": [
    "192.168.1.1",
    "172.1.1.1"
  ],
  "scope": "test-api",
  "clientHost": "172.2.2.2",
  "clientAddress": "172.2.2.2",
  "client_id": "test"
}

HAProxy Version:

2.6.5-987a4e2