I can't get the "http-request deny" function to work

Help!
1

Hello everybody,

Unfortunately I have total difficulties in getting the desired function to work.

Initially, I planned that all requests to test.domain.abc would be forwarded to test.domain.abc/folder1. This doesn’t seem to work at all with my configuration as far as I’ve figured it out. But if someone knows how to do it, this would be the best solution for me.

I then looked around and came across the solution with “http-request deny”. Unfortunately, I can’t get this to work either. I entered the following in various places in my code.

acl static path_beg -i / folder2 / folder3 / folder4
http request deny if path_beg

I am desperate. The folders folder2, folder3 and folder4 can still be reached despite the lines.

It would be great if someone could help me.

Many Thanks
wuestl

Here is my code:

global
  daemon
  maxconn 256
  log /dev/log local0 debug

defaults
  option httplog
  timeout connect 5000ms
  timeout client 50000ms
  timeout server 50000ms

frontend http_in
  mode tcp
  bind *:80
  bind *:443

tcp-request inspect-delay 5s
  acl sslv3 req.ssl_ver 3
  tcp-request content reject if sslv3
  tcp-request content accept if { req_ssl_hello_type 1 }
  
  acl test1 req_ssl_sni -i test1.domain.abc
  acl test2 req_ssl_sni -i test2.domain.abc

  use_backend Test1_ssl if test1
  use_backend Test2_ssl if test2

backend Test1_ssl
  mode tcp
  stick-table type binary len 32 size 30k expire 30m
  
  acl clienthello req_ssl_hello_type 1
  acl serverhello req_ssl_hello_type 2

`# use tcp content accepts to detects ssl client and server hello.`

tcp-request inspect-delay 5s
  tcp-request content accept if clienthello

  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello

  stick on payload_lv(43,1) if clienthello

  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello

  option ssl-hello-chk
  server Test1 xxx.xxx.xxx.xxx:443

backend Test2_ssl
  mode tcp
  stick-table type binary len 32 size 30k expire 30m

  acl clienthello req_ssl_hello_type 1
  acl serverhello req_ssl_hello_type 2

  # use tcp content accept to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello

  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello

  stick on payload_lv(43,1) if clienthello

  #Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello

  option ssl-hello-chk
  server Test2 xxx.xxx.xxx.xxx:443
2

I found out that “http request deny” is wrong.

It should read as follows

acl is_static path -i -m beg /folder2 /folder3 /folder4
http request deny if is_static

I just don’t know where to put it in. In spite of everything, all pages can be reached. Apparently the problem is using SNI in my config?

It would be great if someone could help me.

3

You can’t access http data, when:

  • it’s encrypted with SSL and you are not decrypting it
  • when you are in tcp mode