I have a haproxy config where I attempt to restrict allowed origins to a few endpoints, it looks like this:
acl is_allowed_endpoint req.hdr(Host) -i endpoint1.com acl is_allowed_endpoint_origin var(txn.origin) -i -m end -f /etc/haproxy/acls/endpoint1_origins.acl acl is_allowed_endpoint req.hdr(Host) -i endpoint2.com acl is_allowed_endpoint_origin var(txn.origin) -i -m end -f /etc/haproxy/acls/endpoint2_origins.acl http-request use-service lua.forbidden unless is_allowed_endpoint is_allowed_endpoint_origin
My ACLs content would look like
And it works fine, it blocks requests that are not from those origins exactly as I want. My problem is that it seems haproxy keeps looping an OR through all the ACLs with the same name, that is I can access my endpoint1 with the origins from endpoint2 and vice versa.
Is there a way I could segregate those ACLs so that origins from endpoint1_origins.acl only work for