Hi,
Le 01/10/2015 20:56, CJ Ess a écrit :
So I am trying to set some new rules - since I don't have anything hand
to echo requests back to me, I'm using http-response add-header so I can
verify my rules work with curl.
Added to haproxy.cfg:
acl test_origin hdr(X-TEST-IP) -m ip -f /etc/haproxy/acl/test.acl
http-response add-header X-Test test
http-response add-header X-Test internal if test_origin
#http-request deny if test_origin
Added to /etc/haproxy/acl/test.acl
127.0.0.3
I expect that when I do: curl -vvv -H "X-TEST-IP: 127.0.0.3"
http://127.0.0.1:4089/
That I would get a response that included two X-Test headers - however I
am only seeing the first one. "X-Test: test".
If I uncomment the "deny" rule then the request will be denied, so I
believe the the acl is working.
If I change the "if test_origin" to "if !test_origin" then I'll see the
second header, so I think the if is being parsed at least.
You're trying to apply an acl on a request header during the response
processing, hence such header is not available anymore in the buffer.
You should look at the warning during haproxy init, you'll probably have :
"acl 'test_origin' will never match because it only involves keywords
that are incompatible with 'backend http-response header rule'"
With the 1.6 dev branch, you can use variables to store the request
value in the session :
http-request set-var(sess.X_TEST_IP) hdr(X-TEST-IP)
acl test_origin var(sess.X_TEST_IP) -m -f /etc/haproxy/acl/test.acl
During the request processing, the header is stored at the session
scope, which will be available during the response processing.
--
Cyril Bonté