HAProxy community

Using cookies for ACL

First, apologies if I’m being a fool but am new to HAproxy. I’m using it in PFsense as a reverse proxy and want an ACL that checks for the presence of a cookie, and only forwards to the backend if it’s present.

After searching, I created the ACL in the frontend like so: “req.cook(organizrLanguage) -m found”

I did try to add has_cookie but it threw an error when loading the config of "unknown fetch method ‘has_cookie’ in ACL expression. Is that neede? If I use this ACL I only get a 503 error. What am I doing wrong? Eventually I want to replace that cookie with the value of a token, but if I can get this working I’ll have taken the first step.

Try working with req.cook_cnt and the returned counter:

req.cook_cnt(organizrLanguage) gt 0

Actually gt 0 may not even be necessary, int 0 should be seen as false automatically.

I’ve tried both options, but I’m still getting a 503. To be clear, I don’t need to define this further in actions too somehow do I? I’ve simply used eg.

and named it ACL12. So I only need to list ACL 12 as the condition ACL name? I’m at a loss as to why this doesn’t work.

You need to share the complete configuration, I cannot possibly tell otherwise.

Apologies, I should have done that sooner. Here it is:

Automaticaly generated, dont edit manually.

Generated on: 2019-05-30 00:01

maxconn 1000
stats socket /tmp/haproxy.socket level admin
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
tune.ssl.default-dh-param 2048
log-send-hostname HaproxyMasterNode
server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
bind name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000

frontend http-to-https
bind X.X.X.X:80 name X.X.X.X:80
mode http
log global
option http-keep-alive
timeout client 30000
acl mydomain.co.uk-Redirect var(txn.txnhost) -m beg -i mydomain.co.uk
acl mydomain.co.uk var(txn.txnhost) -m str -i www.mydomain.co.uk
http-request set-var(txn.txnhost) hdr(host)
http-request redirect scheme https

frontend shared-frontend-merged
bind name no-sslv3 force-tlsv12 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl ACL1 var(txn.txnhost) -m str -i mydomain.co.uk
acl ACL2 var(txn.txnhost) -m str -i mydomain.co.uk

acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^www.mydomain.co.uk(:([0-9]){1,5})? acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^mydomain\.co\.uk(:([0-9]){1,5})?

acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^mysub.mydomain.co.uk(:([0-9]){1,5})?$

acl ACL6 var(txn.txnhost) -m str -i mysub.mydomain.co.uk

use_backend MyBackendServer_ipv4 if ACL6 ACL12

backend MyBackendServer

mode http
id 10106
log global
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
server MyServer id 10101 check inter 1000


I can’t actually see any sign of the custom ACL12, only that it should be used. Yet here’s a screenshot of pfsense:

I appreciate the help. I’ve been loving HAproxy but I can’t understand why this doesn’t work.

I don’t know anything about this GUI. If the configuration you think you applied doesn’t show up in the actual configuration, I don’t know what to tell you. Talk to the pfsense guys.

Make sure the GUI is really only using a single configuration file, because it’s also possible to use multiple configuration files.