Re: How to log the auth user?
Hi! Am Do, Mai 25, 2023 at 22:20:03 +0200 schrieb Willy Tarreau: On Thu, May 25, 2023 at 06:18:02PM +0200, Stephan Seitz wrote: HA-Proxy 2.2.9 First, please note that this one misses many fixes, it's affected by 458 known bugs among wihch one critical and 28 major: As Tim guessed this is the current version in Debian stable. http-request set-var(req.s1) req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) didn't build with it, or the opposite. Here regex are not needed, I think you could use: http-request set-var(req.s1) req.fhdr(Authorization),word(2),b64dec,word(1,:) HA-Proxy doesn’t like this version with the change to txn: while parsing 'http-request set-var(txn.s1)' rule : invalid arg 2 in converter 'word' : missing arguments (got 1/2), type 'string' expected. But my version is working with the change from req to txn. Many thanks for your help. Shade and sweet water! Stephan -- |If your life was a horse, you'd have to shoot it.|
How to log the auth user?
Hi! HA-Proxy 2.2.9 I have an HA-Proxy frontend and an application backend. The authentification is done by the backend. The HA-Proxy replaces an older pound proxy. Pound could log like Apache, so the log contained the user name, even if pound didn’t authenticate the user. Searching the net I have found the following string to decode the username from the auth string: req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) So I tried the following in the frontend section: http-request set-var(req.s1) req.fhdr(Authorization),regsub(^Basic\s+,,i),b64dec,regsub(:.+,) log-format "%[var(req.s1)]" But this doesn’t work, I get „-” in the log. What did I wrong? Many greetings, Stephan -- |If your life was a horse, you'd have to shoot it.|
Restricting a backend to certain IPs
Hello! I have a frontend configuration that sends requests to different backends according to the host header. Something like: use_backend backendZ if { hdr(Host) -i } This is working fine, but now one such rule should only allowed if the clients are from a certain ip range. According to the documentation if conditions are AND-combined: acl rule1 acl rule2 use_backend backendZ if rule1 rule2 So I tried the following: acl network_allowed src IP1 IP2 IP3 acl dstvhost hdr(Host) -i use_backend backendZ if network_allowed dstvhost But now I’m not getting to this backend even if my IP is in the list. The rule use_backend backendZ if dstvhost is working but without restrictions. So how do I solve my problem? Shade and sweet water! Stephan -- |If your life was a horse, you'd have to shoot it.|
subscribe
subscribe Mit freundlichen Grüßen, Stephan Seitz -- Heinlein Support GmbH Schwedter Str. 8/9b, 10119 Berlin http://www.heinlein-support.de Tel: 030 / 405051-44 Fax: 030 / 405051-19 Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht Berlin-Charlottenburg, Geschäftsführer: Peer Heinlein -- Sitz: Berlin signature.asc Description: This is a digitally signed message part