On 28.10.2014, at 10:13, Julian Pawlowski <jul...@pawlowski.me> wrote: > I was wondering if there is a way to have HAproxy check for an existing > Cookie the client sends and have it verify with a specific backend (say > backend1). Based on that backends HTTP error code (e.g. 200 or 403), HAproxy > should allow forwarding to backend2. Of course this would need to be checked > for every request but as this is not a high traffic site that wouldn’t be an > issue.
Okay I guess I made some progress. Maybe that helps for somebody else to give me a helping hand in completing this. My primary backend application now once sends a customized header like these after the user was successfully authorized: X-APPNAME-AllowUser: APPSESSION=lkjhgsadkfjhsadjfhg X-APPNAME-Validity: <UNIXTIMESTAMP-until-session-ends> Location: /backend2 I think I can now add some ACLs in the HAproxy configuration of my primary backend: acl allowAPPNAMEUser res.hdr(X-APPNAME-AllowUser) -m found acl disallowAPPNAMEUser res.hdr(X-APPNAME-DisallowUser) -m found http-response set-map(/var/lib/haproxy/appname_user_sessions.lst) %[res.hdr(X-APPNAME-AllowUser)] %[res.hdr(X-APPNAME-Validity)] if allowAPPNAMEUser http-response del-map(/var/lib/haproxy/appname_user_sessions.lst) %[res.hdr(X-APPNAME-DisallowUser)] if disallowAPPNAMEUser I tried these but don’t know if they are actually working cause I wasn’t able to get anything about it from the logfiles. Also the map files are not written, even though I created empty files and ensured r/w access for the HAproxy daemon user. For /backend2, I think I might just need to add an ACL to my frontend similar to this but I’m not sure: use_backend bk_backend2 if { hdr_sub(cookie),map_str(/var/lib/haproxy/appname_user_sessions.lst) -m found } About session expiration: I think I cannot have HAproxy make any cleanups on it’s own beside using the info should a user explicitly use the logout function via the primary backend (X-APPNAME-DisallowUser ...). The plan is to have a cronjob running cleaning the appname_user_sessions.lst based on the second column I added from X-APPNAME-Validity header. However, I’m still stuck into this somehow. Any help would be very much appreciated (it’s for an OpenSource project if that counts). Many thanks in advance. Julian