On Mon, Nov 23, 2015 at 6:26 AM, Dennis Jacobfeuerborn <denni...@conversis.de> wrote: > > On 16.11.2015 15:25, Dennis Jacobfeuerborn wrote: > > Hi, > > I'm trying to figure out the best way to match a source ip against an ip > > mapping file and make decisions based on that. What I'm now doing is this: > > > > acl acl_is_xx src,map_ip(<map-file-1>) -m str xx > > acl acl_is_yy src,map_ip(<map-file-1>) -m str yy > > > > acl acl_value src,map_ip(<map-file-1>) -m copy > > http-request set-header X-Test wasxx if acl_value==xx > > http-request set-header X-Test wasyy if acl_value==yy > >
> > Is there an alternative way to express something like this? > > Does nobody have any idea how to accomplish this? > This is happening in a GeoIP context and I'm now planning to make > distinct lookups for four different countries which seems pretty wasteful. Hi Dennis - I think this configuration would do what you want: acl has_ip_map src -M -f <map-file> http-request set-header X-Test %[src,map_ip(<map-file>)] if has_ip_map The idea is that map-file is a two-column file like so: # ip_addr name 1.2.3.4 wasxx 5.6.7.8 wasyy This works by treating <map-file> as both a map AND and acl (the '-M' flag does that). When you treat it as an ACL, it only evaluates the first column. This lets you test the ip address, to see if it's one you care about. Then, you use the <map-file> as a map, and you look up the value for your header based on the ip address - but only if the prior acl evaluated to true. An added benefit of this is that you can scale out easily to many values in the map/acl file without polluting your configuration. Additionally, you can use the socket commands to dynamically add things to the map/acl without reloading haproxy, if you wanted (something like 'add map <map-file> <address> <value>'). Hope that helps! - Andrew Hayworth
