HAProxy community

Http-response set-header with condition, not working


#1

Hello forum,

I need to set a http-response header under certain conditions.
My idea was to use this configuration in the frontend section:

acl path_set path_beg /some/path
http-response del-header Pragma if path_set
http-response set-header Cache-Control no-cache if path_set
http-response set-header Expires -1 if path_set

However, if I run a check on the config, haproxy tells me:

acl ‘path_set’ will never match because it only involves keywords that are incompatible with ‘frontend http-response header rule’

And indeed, the rule does not work. If I remove the condition (if…) the headers are set but of course for all paths.
Can someone help me understand, why this happens and how I prevent/fix this, so the condition works?

Thanks alot,
Hans

edit: I use haproxy version 1.6.13 on this server. Could it be a version problem?


#2

You cannot match this directly, because the data is not there anymore (when the request is send to the server we don’t keep a copy of it).

I suggest you save the path to a txn variable in the frontend and than use that in the backend:

frontend ...
 http-request set-var(txn.path) path
backend ...
 acl path_set var(txn.path) -m beg /some/path
 http-response del-header Pragma if path_set
 http-response set-header Cache-Control no-cache if path_set
 http-response set-header Expires -1 if path_set

See the documentation for details:


#3

Thank you very much for this hint.
I try to understand what you mean by “the data is not there anymore”…

Can I also use this in the frontend section or is there a reason for using it in backend?


#4

Yeah, you should be able to move everything to the frontend also, just make sure you use with the txn variable. I separated the two, so it is more clear that it’s happening at a different point in time.

What it means is that when you use the http-response directive, it will have to wait for the response to actually arrive. This obviously means that it would be after the request has been send to the server (otherwise we would not have an answer), and because haproxy does not keep a copy of the request around for further analysis, you cannot match something in your request (like the path), when the request was already send to the server.

Saving the path into a txn variable (which is a variable valid for the entire transaction) and matching that one instead solves the issue.


#5

Thank you very much for the explanation!
Understood :slight_smile: