Segregate haproxy ACLs

danielcamargo · December 22, 2021, 6:05pm

Hi all,

I have a haproxy config where I attempt to restrict allowed origins to a few endpoints, it looks like this:

    acl is_allowed_endpoint req.hdr(Host) -i  endpoint1.com
    acl is_allowed_endpoint_origin var(txn.origin) -i -m end -f /etc/haproxy/acls/endpoint1_origins.acl
    acl is_allowed_endpoint req.hdr(Host) -i  endpoint2.com
    acl is_allowed_endpoint_origin var(txn.origin) -i -m end -f /etc/haproxy/acls/endpoint2_origins.acl

    http-request use-service lua.forbidden   unless is_allowed_endpoint is_allowed_endpoint_origin

My ACLs content would look like
endpoint1_origins.acl

origin1.com
origin2.com

endpoint2_origins.acl

origin3.com
origin4.com

And it works fine, it blocks requests that are not from those origins exactly as I want. My problem is that it seems haproxy keeps looping an OR through all the ACLs with the same name, that is I can access my endpoint1 with the origins from endpoint2 and vice versa.

Is there a way I could segregate those ACLs so that origins from endpoint1_origins.acl only work for endpoint1.com ?

Topic		Replies	Views
ACL multiple fetches Help!	4	795	October 14, 2021
How do I setup acls to split a server by directory Help!	2	1230	June 13, 2018
Haproxy acl to block ips and host header Help!	2	2211	December 17, 2020
HAproxy configuration Help!	6	1682	June 10, 2018
Backend server variables Help!	4	1202	August 16, 2018

Segregate haproxy ACLs

Related Topics