• March 25, 2024

Haproxy Acl Regex

Configuration | ACLs | Syntax | HAProxy Enterprise 2.4r1

HAProxy Enterprise 2. 3r1 Documentation HAProxy Enterprise 2. 3r1 Documentation Configuration ACLs Syntax HAProxy Enterprise Documentation 2. 3r1 An ACL is split into four parts: a name for the ACL, which you choose a fetch to collect information from the client’s session optional flags a value to match against In the example below, we mark these parts: frontend www
bind:80
# name fetch flags value
acl image_url path -i -m beg /images/ Fetches An ACL compares a value with a result from a fetch method. See Fetches to learn more about fetch methods. The fetch part of an ACL returns a value of a certain data type. For example, the path fetch returns a string, which you match against an expected string value. In the previous example, we attempted to match the path fetch against the string /images/. The data types are: Boolean Integer (signed or unsigned) IPv4 or IPv6 address String Binary data block Here are examples of ACLs that use fetches of various data types: frontend www
# Boolean. Did the connection arrive over SSL?
# Note that boolean expressions do not include an explicit value to match against.
acl ssl_was_used ssl_fc
# Integer. Is the destination port 8080?
acl is_8080 dst_port 8080
# IP address. Is the destination IP address localhost (i. e. 127. 0. 1)?
acl localhost dst 127. 1
# Binary. Does the request body contain the substring ‘PING’?
# For binary fetches, you must set a match type.
acl contains_ping -m sub PING ACL Flags ACLs support the following flags: Flag Description -i Ignores case during matching of all subsequent patterns. -f Loads patterns from . -m Uses a specific pattern matching method. -n Forbids DNS resolution. -M Loads the file pointed by -f like a map file. -u Forces the ACL unique id. — Forces end of flags; it is useful when a pattern looks like one of the flags. -f Flag The -f flag loads a file that contains values to match against. It must be followed by the name of a file from which HAProxy Enterprise reads all lines as individual patterns. It’s possible to pass multiple -f arguments if the patterns come from multiple files. Example file HAProxy Enterprise configuration: frontend www
acl images_url path -i -m beg -f /etc/hapee-2. 3/ Things to know Empty lines are ignored. Lines starting with a sharp (#) are ignored. All leading spaces and tabs are stripped. If you use -f in conjunction with -m, the -m must come first. -M flag The -M flag allows an ACL to load a map file. A map file contains two columns. The first column is a key and the second is an associated value. An ACL line reads only the first column; but you can use the second column later, such as by the map converter on an -request line. Example file The ACL only considers the first column, in the same way as the -f flag with a single-column file. However, the -request redirect line that follows finds the matching Host header from the key column, and fills in the redirect URL from the value column: frontend www
# Does the Host header match a key in the map file?
acl requires_redirect (Host) -i -M -f /etc/hapee-2. 3/
# Use the correct redirect URL based on the Host header
-request redirect prefix%[(Host), lower, map(/etc/hapee-2. 3/)] code 301 if requires_redirect -u Flag The -u flag lets you set the unique ID for the ACL. Then, when you use the Runtime API command show acl, it displays a unique ID next to the ACL you’ve defined: $ echo “show acl” | socat tcp-connect:127. 1:9024
# id (file) description
0 () acl ‘ssl_fc’ file ‘/etc/hapee-2. 1/’ line 45
1 () acl ‘dst_port’ file ‘/etc/hapee-2. 1/’ line 48
2 () acl ‘dst’ file ‘/etc/hapee-2. 1/’ line 51
3 () acl ” file ‘/etc/hapee-2. 1/’ line 55
4 () acl ‘path’ file ‘/etc/hapee-2. 1/’ line 6 You can use other Runtime API commands, such as get acl, to test a particular value against an ACL, which you reference by its unique ID: $ echo “get acl #4 /images/” | socat tcp-connect:127. 1:9024 –
type=str, case=sensitive, match=yes, idx=tree, pattern=”/images/”
$ echo “get acl #4 /test/” | socat tcp-connect:127. 1:9024 –
type=str, case=sensitive, match=no By default, HAProxy Enterprise controls the unique ID for each ACL. However, you can use the -u flag to set it yourself: frontend www
acl image_url path_beg -i -u 50 /images/ -m Flag The -m flag sets a specific match type to use when comparing against the input sample. All fetches imply a matching type and generally do not need this flag. However, it is useful with generic fetches to make the match type explicit or to override the default match type. Things to know If you use -f in conjunction with -m, the -m must come first. Not all match types can work with all sample fetch methods. The match type must be one of the following: Code Description found Only checks for the existence of the requested sample in the stream. For example, use this to check whether a URL parameter exists, without concern for its value. bool Matches the sample as a Boolean. This method only applies to fetches that return a boolean or integer value. Value zero or false does not match, all other values match. int Matches the sample as an integer. It can apply to integer and boolean samples. Boolean false is integer 0, true is integer 1. ip Matches the sample as an IPv4 or IPv6 address. It is compatible with IP address samples only. bin Matches the sample against an hexadecimal string representing a binary sequence. It can apply to binary or string samples. len Matches the sample’s length as an integer. str Exact string match. sub Substring match: checks that the sample contains at least one of the provided string patterns. reg Regex match: matches the sample against a list of regular expressions. This can work with binary or string samples. beg Prefix match: checks that the sample begins like any of the provided patterns. end Suffix match: checks that the sample finishes like any of the provided pattern. dir Subdir match: checks that a slash-delimited portion of the sample exactly matches one of the provided patterns. dom Domain match: checks that a dot-delimited portion of the sample exactly matches one of the provided patterns. -n Flag The -n flag forbids DNS resolutions when loading IP addresses from a file. By default, when the parser can not parse an IP address, it considers that the parsed string is a domain name and tries to resolve it using DNS. If the DNS server is not reachable, the HAProxy Enterprise configuration parsing can take several minutes to wait for DNS timeouts. During this time, it does not display error messages. Therefore, this flag avoids this scenario entirely. Example An IP address file,, contains a gibberish domain name: 192. 168. 10
HAProxy Enterprise configuration: frontend www
acl safe_ip src -n -f /etc/hapee-2. 1/
tcp-request content reject unless safe_ip When reloading HAProxy, the following error displays: error detected while parsing ACL ‘safe_ip’: ” is not a valid IPv4 or IPv6 address at line 2 Special matching Some expressions go beyond the simple matching rules described so far. For example, you can try to match a range of integers or a range of IP addresses. Match integer ranges Express a range of integers as a lower and an upper bound separated by a colon: frontend www
# Is the response status from the server between 500 and 511?
acl response_5xx status 500:511 When one of the bounds is missing, it indicates that the range has either no start or no end. It means you want to match anything higher than or anything lower than the specified lower or upper bound. frontend www
bind *:80
# Is port 1024 or higher?
acl high_port port 1024:
# Is port 1023 or lower?
acl low_port port:1023 Match integer operators Use operators to compare two integers. frontend www
# Is the HTTP response body greater than 10000 bytes?
acl 10kb_response dy_len gt 10000 Available operators for integer matching are: Operator Description eq true if the sample equals at least one pattern. ge true if the sample is greater than or equal to at least one pattern. gt true if the sample is greater than at least one pattern. le true if the sample is less than or equal to at least one pattern. lt true if the sample is less than at least one pattern. Match decimal numbers As a special case, some ACL functions support decimal numbers, which are two integers separated by a period. In the example below, the two ACLS, tlsv1 and ssl3_or_tls1 call the l_ver fetch method, which returns a decimal number that indicates the version of SSL/TLS used. We then compare that value with a literal value 3. 1 and the range 3:3. 1: frontend www
# Match TLV v1. 0
acl tlsv1 l_ver 3. 1
# Match SSL 3. 0 or TLS 1. 0
acl ssl3_or_tls1 l_ver 3:3. 1 All integer properties apply to decimal numbers, including ranges and operators. Match strings String matching applies to string or binary fetch methods or converters. It and can be categorized into six match types. Use the -m flag to indicate the match type: Parameter Description Exact match -m str Matches the string exactly. Substring match -m sub Matches a portion of the string. Prefix match -m beg Matches the beginning of the string. Suffix match -m end Matches the end of the string. Subdir match -m dir Matches part of a URL or file path, delimited with slashes (/). Domain match -m dom Matches part of a domain, delimited with periods (. ). Things to know String matching applies to verbatim strings as they pass, with the exception of the backslash (). This enables you to avoid characters such as the space. When the flag -i passes before the first string, the matching is not case-sensitive. To match the pattern -i, you can either set it after, or pass the specific flag — before the first pattern. The same applies to match the pattern -. Match regular expressions Use the -m reg match type to compare a feth method’s value with a regular expression. You can escape backslashes by prefixing them with another backslash \. frontend www
# Path contains cat, caat, caaat, etc.
acl contains_cat path -m reg ca+t Things to know When the flag -i is passed before the first regex, the matching is not case-sensitive. To match the literal -i, you can either set it after, or pass the specific flag — before the first pattern. Match arbitrary data blocks It is possible to match samples against a binary block when you cannot safely represent it as a string. To do this, the patterns must be passed as a series of hexadecimal digits in an even number. Set the match type to bin. Each sequence of two digits represents a byte. The hexadecimal digits can be in either upper or lowercase. # Match the string Hello at the beginning of the input stream
# (Hexadecimal values: x48 x65 x6c x6c x6f x0a)
acl hello payload(0, 6) -m bin 48656c6c6f0a Match IPv4 and IPv6 addresses You can match against IPv4 addresses with or without an appended netmask. When you use a netmask, the IPv4 address matches whenever it is within the network. You can enter IPv6 addresses in their usual form with or without an appended netmask. Only bit counts are accepted for IPv6 netmasks. frontend www
# Is the client’s IP address localhost?
acl is_localhost src 127. 1
# Is the client’s IP address in the IPv4 range?
acl allowed_ipv4 src 192. 0/16
# Is the client’s IP address in the given IPv6 range?
acl allowed_ipv6 src 2001:db8::/48 Next up Inline ACLs
Wildcard in subdomain for ACL in HAPROXY - Stack Overflow

Wildcard in subdomain for ACL in HAPROXY – Stack Overflow

You want hdr_reg() (“reg”ex), not hdr_beg() (literal string prefix/”beg”inning).
acl instagiveweb hdr_reg(host) -i ^foo[^. ]*. example$
This should match the entire host header only if begins with foo followed by 0 or more of any character except. followed by. at the end of the value.
answered May 13 ’16 at 0:03
Michael – sqlbotMichael – sqlbot147k21 gold badges274 silver badges350 bronze badges
0
Not the answer you’re looking for? Browse other questions tagged regex routing haproxy or ask your own question.
Reg Exp for URL in HAProxy - Server Fault

Reg Exp for URL in HAProxy – Server Fault

I’m trying to build a reg exp for haproxy that will match the second URL and direct it to a different acl than the first:
The issue is that my first reg exp matches both urls above when it should only match the second one. I can’t find more documentation on haproxy regex’s format either so I’m not even sure where to reference the reg exp format I should be using for matching. Can reg exp pro’s help me I’m new to this thanks.
acl filebrowser_route path_reg ^/path/. *
acl filebrowser url_beg /path
asked Oct 15 ’15 at 16:34
1
You need to construct two regex’s that are mutually exclusive: only one can be true at a time:
How about if you make the second item be a regex like:
^/path[^/]
The [^/] means “any character that is not /”.
Here are three URLs that are mutually exclusive:
acl fb1 path_reg ^/path$ # Just /path
acl fb2 path_reg ^/path/$ # Just /path/
acl fb3 path_reg ^/path/.. *$ # /path/ plus at least 1 character
answered Oct 15 ’15 at 17:25
TomOnTimeTomOnTime7, 2395 gold badges26 silver badges51 bronze badges
2
Not the answer you’re looking for? Browse other questions tagged routing haproxy regex url or ask your own question.

Frequently Asked Questions about haproxy acl regex

Leave a Reply

Your email address will not be published. Required fields are marked *