How to block URLs that does not contain a specific word using HA proxy

I am trying to block URL’s that does not contain a word “Developer” in the URL’s query string urls.primaryName’s value.

URL’s to block:

  1. /swaggerui/PetStore/index.html?urls.primaryName=V1-Private
  2. /swaggerui/PetStore/index.html?urls.primaryName=V1-Internal

URL’s to allow:

  1. /swaggerui/PetStore/index.html?urls.primaryName=V1-Developer

Below is the configuration I have tried.

frontend http-in
    acl url_petstore_v2 path_beg -i /swaggerui/PetStore/

    use_backend petstore_v2 if url_petstore_v2


backend petstore_v2
    http-request deny if { path_reg /swaggerui/PetStore/index\.html\?urls\.primaryName=(?i)(?!.*Developer).* }

    server petstore1 $PS_HOST$SERVER_ADDRESS_TAIL:$PS_PORT check $TLS_APPEND $HAPROXY_RESOLVER_EXPR

Regex expression I have used does match the URL’s as you can see in this online regex test tool.

But this configuration is not blocking the URLs and allowing all the URLs.

Developer is not in the path. It is in the query.

So instead of path_reg it should be query -m reg and the pattern should start with everything after the ?.

Or you should be able to match it without regex really.

http-request allow { query -m end Developer }
http-request deny
1 Like

Hi @lukastribus

Thanks for the hints. It helped me to get to the solution.

I used below rules to achieve the required scenario.
I choose to use regular expression because URL can have something after developer.
“if” was missing in your solution which was stopping HA proxy from starting.
I used \b so that developer is present in URL as a separate word.

http-request allow if { query -m reg urls.primaryName=.\bDeveloper\b. }
http-request deny

1 Like