Load ACL value from map

How do I load an ACL value (src) from a map (req.hdr)?

I’m trying to allow/deny traffic from specific IP networks to specific domains, without repeating ACL rules in the HAProxy config, and creating per-domain map files.

This is what I came up with:

acl ip_network_allowed src %[req.hdr(host),lower,map(/etc/haproxy/domain_ip.map)]
tcp-request connection reject if { req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) -m found } ip_network_allowed

… where /etc/haproxy/domain_ip.map has the format req.hdr + space-separated IP networks:

example.com ::1

However, HAProxy apparently does not expect the %[] syntax there:

error detected while parsing ACL 'ip_network_allowed' : '%[req.hdr(host),lower,map(/etc/haproxy/domain_ip.map)]' is not a valid IPv4 or IPv6 address.

I’m unable to find in which context this syntax is supported.

Why would you need the ACL at all?
What exactly does the tcp-request rule not accomplish here that you need a ACL for ?

tcp-request connection reject if { req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) -m found }

I did play around with that syntax, but got blocked (pun not intended).

To begin with, this is a mode http frontend, so I used http-request deny.

Second, I read your rule as rejecting the connection when req.hdr(host) is present in the map (-m found). As I want to deny the HTTP request when it is present in the map, and the request IP address is not in the space-separated map value, I tried:

http-request deny if { req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) -m found } !{ req.hdr(host),lower,map(/etc/haproxy/domain_ip.map) }

… but that matches all requests to any domain present in the map.

This is definitely PEBKAC, but I’m getting a bit lost between the starter guide, configuration manual, blog, HAPEE docs and the (new?) configuration tutorials at HAProxy documentation.

You are right, I missed that.

This will require some more tinkering to combine the two conditions, I don’t have a solution at the top of my head.