Config order -- when will it matter?

Wed, 13 Apr 2016 09:47:32 -0700 

I'm working on some changes to a frontend, one of which is moving the
port 80 bind into the same frontend as port 443.

Which of the many directives that I'm using will be evaluated in order,
and which of them will take effect first no matter where they are?

Specific questions:

Will the "blockit" ACL in the config below kill a matching connection on
port 80 before the redirect to HTTPS happens, or is "redirect scheme"
handled out of order with the rest of what I've got configured?

Are the "use_backend X if" statements evaluated in order?  What I'm
trying to do would require this.

Any insight is appreciated.

Thanks,
Shawn


-----------------------------------

frontend fe-spark
        description Front end that accepts production spark requests.
        bind 70.102.230.78:80
        bind 70.102.230.78:443 ssl crt
/etc/ssl/certs/local/spark.REDACTED.com.pem crt
/etc/ssl/certs/local/wildcard.REDACTED.com.pem crt
/etc/ssl/certs/local/spark.OTHERDOMAIN.com.pem crt
/etc/ssl/certs/local/wildcard.stg_dev0-9.REDACTED.com.pem crt
/etc/ssl/certs/local/ssl-spark.dev.REDACTED.com.pem crt
/etc/ssl/certs/local/spark.white.REDACTED.com.pem no-sslv3 alpn http/1.1
npn http/1.1
        acl host_stg hdr_beg(host) -i spark.stg.REDACTED.com
        acl host_dev hdr_beg(host) -i spark.dev.REDACTED.com
        acl host_dev0 hdr_beg(host) -i spark.dev0.REDACTED.com
        acl host_white hdr_beg(host) -i spark.white.REDACTED.com
        acl mwsi_path   path_beg        /services
        acl bot         hdr_cnt(User-Agent) 0
        acl bot         hdr_sub(User-Agent) -i baiduspider ia_archiver
jeeves googlebot mediapartners-google msnbot slurp zyborg yandexnews
fairshare.cc yandex bingbot crawler everyonesocialbot feed\ crawler
google-http-java-client java/1.6.0_38 owlin\ bot sc\ news wikioimagesbot
xenu\ link\ sleuth yahoocachesystem
        acl facebook  hdr_sub(User-Agent) -i facebookexternalhit
        acl socialbot hdr_sub(User-Agent) -i twitterbot
        acl socialbot hdr_sub(User-Agent) -i feedfetcher-google
        acl blockit     hdr_sub(User-Agent) -i torrent
        acl blockit     path_beg        -i /announc
        acl blockit     path_beg        -i /v2.0
        acl blockit     path_beg        -i /v2.1
        acl blockit     path_beg        -i /v2.2
        acl blockit     path_beg        -i /fr
        acl blockit     path_beg        -i /tr
        acl blockit     path_beg        -i /connect
        acl blockit     path_beg        -i /feeds
        acl blockit     path_beg        -i /desktop
        acl blockit     path_beg        -i /ios
        acl blockit     path_beg        -i /ipad
        acl blockit     path_beg        -i /magento
        acl blockit     path_beg        -i /method
        acl blockit     path_beg        -i /news
        acl blockit     path_beg        -i /cipgl
        acl blockit     path_beg        -i /stats
        acl blockit     path_beg        -i /mobile
        acl blockit     path_beg        -i /network_ads
        acl blockit     path_reg        ^/\d+
        http-request deny if blockit
        reqadd X-Forwarded-Proto:\ https if { ssl_fc }
        redirect scheme https if !{ ssl_fc }
        redirect prefix https://spark.REDACTED.com code 301 if {
hdr(host) -i OTHERDOMAIN.com }
        redirect prefix https://spark.REDACTED.com code 301 if {
hdr(host) -i www.OTHERDOMAIN.com }
        use_backend be-mwsi-stg-8444 if mwsi_path { ssl_fc_sni -i
spark.stg.REDACTED.com }
        use_backend be-mwsi-stg-8444 if mwsi_path host_stg
        use_backend be-mwsi-8444 if mwsi_path
        use_backend be-stg-spark-443 if { ssl_fc_sni -i
spark.stg.REDACTED.com }
        use_backend be-spark-dev-2443 if { ssl_fc_sni -i
spark.dev.REDACTED.com }
        use_backend be-spark-dev0-443 if { ssl_fc_sni -i
spark.dev0.REDACTED.com }
        use_backend be-spark-white-443 if { ssl_fc_sni -i
spark.white.REDACTED.com }
        use_backend be-stg-spark-443 if host_stg
        use_backend be-spark-dev-2443 if host_dev
        use_backend be-spark-dev0-443 if host_dev0
        use_backend be-spark-white-443 if host_white
        default_backend be-spark-443
        rspadd Strict-Transport-Security:\ max-age=31536000;\
includeSubDomains if { ssl_fc }

Reply via email to