I'm working on some changes to a frontend, one of which is moving the port 80 bind into the same frontend as port 443.
Which of the many directives that I'm using will be evaluated in order, and which of them will take effect first no matter where they are? Specific questions: Will the "blockit" ACL in the config below kill a matching connection on port 80 before the redirect to HTTPS happens, or is "redirect scheme" handled out of order with the rest of what I've got configured? Are the "use_backend X if" statements evaluated in order? What I'm trying to do would require this. Any insight is appreciated. Thanks, Shawn ----------------------------------- frontend fe-spark description Front end that accepts production spark requests. bind 70.102.230.78:80 bind 70.102.230.78:443 ssl crt /etc/ssl/certs/local/spark.REDACTED.com.pem crt /etc/ssl/certs/local/wildcard.REDACTED.com.pem crt /etc/ssl/certs/local/spark.OTHERDOMAIN.com.pem crt /etc/ssl/certs/local/wildcard.stg_dev0-9.REDACTED.com.pem crt /etc/ssl/certs/local/ssl-spark.dev.REDACTED.com.pem crt /etc/ssl/certs/local/spark.white.REDACTED.com.pem no-sslv3 alpn http/1.1 npn http/1.1 acl host_stg hdr_beg(host) -i spark.stg.REDACTED.com acl host_dev hdr_beg(host) -i spark.dev.REDACTED.com acl host_dev0 hdr_beg(host) -i spark.dev0.REDACTED.com acl host_white hdr_beg(host) -i spark.white.REDACTED.com acl mwsi_path path_beg /services acl bot hdr_cnt(User-Agent) 0 acl bot hdr_sub(User-Agent) -i baiduspider ia_archiver jeeves googlebot mediapartners-google msnbot slurp zyborg yandexnews fairshare.cc yandex bingbot crawler everyonesocialbot feed\ crawler google-http-java-client java/1.6.0_38 owlin\ bot sc\ news wikioimagesbot xenu\ link\ sleuth yahoocachesystem acl facebook hdr_sub(User-Agent) -i facebookexternalhit acl socialbot hdr_sub(User-Agent) -i twitterbot acl socialbot hdr_sub(User-Agent) -i feedfetcher-google acl blockit hdr_sub(User-Agent) -i torrent acl blockit path_beg -i /announc acl blockit path_beg -i /v2.0 acl blockit path_beg -i /v2.1 acl blockit path_beg -i /v2.2 acl blockit path_beg -i /fr acl blockit path_beg -i /tr acl blockit path_beg -i /connect acl blockit path_beg -i /feeds acl blockit path_beg -i /desktop acl blockit path_beg -i /ios acl blockit path_beg -i /ipad acl blockit path_beg -i /magento acl blockit path_beg -i /method acl blockit path_beg -i /news acl blockit path_beg -i /cipgl acl blockit path_beg -i /stats acl blockit path_beg -i /mobile acl blockit path_beg -i /network_ads acl blockit path_reg ^/\d+ http-request deny if blockit reqadd X-Forwarded-Proto:\ https if { ssl_fc } redirect scheme https if !{ ssl_fc } redirect prefix https://spark.REDACTED.com code 301 if { hdr(host) -i OTHERDOMAIN.com } redirect prefix https://spark.REDACTED.com code 301 if { hdr(host) -i www.OTHERDOMAIN.com } use_backend be-mwsi-stg-8444 if mwsi_path { ssl_fc_sni -i spark.stg.REDACTED.com } use_backend be-mwsi-stg-8444 if mwsi_path host_stg use_backend be-mwsi-8444 if mwsi_path use_backend be-stg-spark-443 if { ssl_fc_sni -i spark.stg.REDACTED.com } use_backend be-spark-dev-2443 if { ssl_fc_sni -i spark.dev.REDACTED.com } use_backend be-spark-dev0-443 if { ssl_fc_sni -i spark.dev0.REDACTED.com } use_backend be-spark-white-443 if { ssl_fc_sni -i spark.white.REDACTED.com } use_backend be-stg-spark-443 if host_stg use_backend be-spark-dev-2443 if host_dev use_backend be-spark-dev0-443 if host_dev0 use_backend be-spark-white-443 if host_white default_backend be-spark-443 rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains if { ssl_fc }