How do I manipulate response headers based on path

Help!
1

I’ve been using the following formula:

# SNI dmarc
frontend port443-raw from tcpees
  bind    :443 alpn h2
  bind  :::443 alpn h2
  default_backend loopback-main

# main frontend
frontend main from httpees
  bind /haps/main.socket name main accept-proxy ssl crt fullchain.pem alpn h2,http/1.1
  http-request set-var(txn.txnhost) hdr(host)
  http-request set-var(txn.txnpath) path  
  acl auto         var(txn.txnhost) -m str -i sub1.domain1.tld
  acl auto         var(txn.txnhost) -m str -i sub2.domain1.tld
  acl sub3         var(txn.txnhost) -m str -i sub3.domain1.tld
  http-response  set-header Content-Security-Policy "object-src…" if auto
  http-response  add-header Content-Security-Policy "script-src…" if auto
  http-response  add-header Content-Security-Policy "img-src…"    if auto
  http-response  set-header Content-Security-Policy "obj…"    unless auto
  use_backend    %[req.hdr(Host),lower]               if auto || sub3 || …

# looparound backend
backend loopback-main
  mode  tcp
  server  main /haps/main.socket send-proxy-v2-ssl-cn

# most backends are very similar to this
backend sub1.domain1.tld from httpees
  option httpchk
  http-check send meth OPTIONS uri / ver HTTP/1.1\r\nHost:\ sub1.domain.tld
  use-server std if !{ ssl_fc }
  use-server tls if  { ssl_fc }
  server std sub1.domain.tld:80      check inter 12s  observe layer7  error-limit 10  on-error fastinter
  server tls sub1.domain.tld:443 ssl check inter 12s  observe layer7  error-limit 10  on-error fastinter

It works flawlessly for header manipulation if based on hostname, such as above. I tried it on a pathname…

  acl path         var(txn.txnpath) -m sub -i /examplepath
  http-response  set-header Content-Security-Policy "obj…"    if path

and it wouldn’t work. The variables made it error silently. Later when I ditched the variables and using the “acl url_static path_beg /static” construction I finally got a message that the way I was doing it would never match. It didn’t say why, though. (I added an ACL for the hostname too, BTW, and then not)

Adding them on the backends I think would work, but since most are mass-added on the frontend, I’d have to single them out resulting in very complicated rules or remove them altogether and add them to every single backend making even bigger the already-1100plus-line config file.

How can I add response header based on a path?