Re: How to log the auth user?

2023-05-26 Thread Stephan Seitz 

Hi!

Am Do, Mai 25, 2023 at 22:20:03 +0200 schrieb Willy Tarreau:

On Thu, May 25, 2023 at 06:18:02PM +0200, Stephan Seitz wrote:

HA-Proxy 2.2.9

First, please note that this one misses many fixes, it's affected by
458 known bugs among wihch one critical and 28 major:


As Tim guessed this is the current version in Debian stable.



http-request set-var(req.s1) 
req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,)

didn't build with it, or the opposite. Here regex are not needed, I
think you could use:



http-request set-var(req.s1) 
req.fhdr(Authorization),word(2),b64dec,word(1,:)


HA-Proxy doesn’t like this version with the change to txn:
while parsing 'http-request set-var(txn.s1)' rule : invalid arg 2 in converter 
'word' : missing arguments (got 1/2), type 'string' expected.

But my version is working with the change from req to txn.

Many thanks for your help.

Shade and sweet water!

Stephan

--
|If your life was a horse, you'd have to shoot it.|

How to log the auth user?

2023-05-25 Thread Stephan Seitz 

Hi!

HA-Proxy 2.2.9

I have an HA-Proxy frontend and an application backend. The 
authentification is done by the backend.


The HA-Proxy replaces an older pound proxy. Pound could log like Apache, 
so the log contained the user name, even if pound didn’t authenticate the 
user.


Searching the net I have found the following string to decode the 
username from the auth string:


req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,)

So I tried the following in the frontend section:

http-request set-var(req.s1) 
req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,)
log-format "%[var(req.s1)]"

But this doesn’t work, I get „-” in the log.

What did I wrong?

Many greetings,

Stephan

--
|If your life was a horse, you'd have to shoot it.|

Restricting a backend to certain IPs

2021-07-13 Thread Stephan Seitz 

Hello!

I have a frontend configuration that sends requests to different backends 
according to the host header.


Something like:
use_backend backendZ if { hdr(Host) -i  }

This is working fine, but now one such rule should only allowed if the 
clients are from a certain ip range.


According to the documentation if conditions are AND-combined:
acl rule1 
acl rule2 
use_backend backendZ if rule1 rule2

So I tried the following:
acl network_allowed src IP1 IP2 IP3
acl dstvhost hdr(Host) -i 
use_backend backendZ if network_allowed dstvhost

But now I’m not getting to this backend even if my IP is in the list.
The rule
use_backend backendZ if dstvhost
is working but without restrictions.

So how do I solve my problem?

Shade and sweet water!

Stephan

--
|If your life was a horse, you'd have to shoot it.|

subscribe

2018-05-24 Thread Stephan Seitz 
subscribe

Mit freundlichen Grüßen,

Stephan Seitz

--

Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-44
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin




signature.asc
Description: This is a digitally signed message part