Re: ACLs that depend on cookie values
On Wed, May 09, 2012 at 04:01:12PM -0700, Malcolm Handley wrote: > Oh, one more question: if I use reqrep to modify the cookies header > that's going to destroy the original header, I suspect, which would > cause problems for the web server that wants to read those cookies. Is > there any way around that? There's another ugly trick you can do which consists in replacing the cookie header by itself after the header you want. Something like this : reqirep ^(Cookie:.*COOK=)([^\ ;,]*)(.*) x-cook:\ \2\r\n\1\2\3 You may have to fix this as it's not tested, but I think you get the idea. Willy
Re: ACLs that depend on cookie values
Hi Malcolm, On Wed, May 09, 2012 at 03:51:46PM -0700, Malcolm Handley wrote: > Cook_val sounds great if you happen to add that. I've added this for you in dev9 :-) > How long do snapshots > take to become the stable version, generally? There generally are a few months between dev releases. And dev releases are *not* stable versions. It only happens that I try to get them stable enough for enthousiasts to use them carefully and provide useful feedback. For instance, Cyril found a few important bugs, so I'll have to emit a dev10 soon with them fixed. If you want something really stable, you should use 1.4, not 1.5-dev. > We've had some outages > (nothing to do with haproxy, which works great) and definitely don't > want to put bleeding-edge code into production at the moment. I certainly understand. The best to do after a dev release is to wait 1 or 2 weeks for bug reports, and either you pick the fixes from next snapshots or you wait for a new dev release. > > In the mean time, I think that if you manage to rewrite your cookie header > > to replace it with a header holding only the value, it might work, though > > it's dirty and quite tricky. > > This is a great suggestion. Can you confirm that header rewriting > happens before other calls to hdr_val? (Do the commands happen in > order?) I'm not certain about this, I'd have to recheck the code for this. > (One thing that's great about this is it would also let me > avoid creating a new header. My goal is to write an ACL of the form > [block if cook_value(user_id) % 1000 < 250] but ACLs don't support > much math. But your suggestion would get around this.) OK. > > Instead, with regex you can actually match integer expressions, it's just > > a bit complicated but doable. For instance, a value below 25 might be > > defined like this (not tested right now but you get the idea) : > > > > COOK=([0-9]|1[0-9]|2[0-4])([^0-9]|$) > > > > I've been doing this for a long time to extract requests by response times > > in logs until I got fed up and wrote halog. > > Yeah. I thought of this too. I know that I could do it but we are > creating a tool to use in emergencies and I think that I'd be > frightened of messing it up in some small but important way. :-) I can understand! However the regex will provide you the modulo 1000 for free :-) Willy
Re: ACLs that depend on cookie values
Oh, one more question: if I use reqrep to modify the cookies header that's going to destroy the original header, I suspect, which would cause problems for the web server that wants to read those cookies. Is there any way around that? On Wed, May 9, 2012 at 3:51 PM, Malcolm Handley wrote: > On Tue, May 8, 2012 at 1:24 AM, Willy Tarreau wrote: >> Hi Malcolm, >> >> On Mon, May 07, 2012 at 06:19:36PM -0700, Malcolm Handley wrote: >>> I'd like to write an ACL that compares the integer value of a cookie >>> with a constant. (My goal is to be able to block percentiles of our >>> users if we have more traffic than we can handle, so I want to block a >>> request if the cookie's value is, say, less then 25.) >>> >>> I understand that I can do something like >>> hdr_sub(cookie) -i >>> but that doesn't let me treat the value as an integer and compare it. >>> >>> I also know about >>> hdr_val() >>> but that gives me the entire value of the cookie header, not just the >>> value of a particular cookie. >>> >>> Is there any way that I can do this? >> >> In the next snapshot I hope to be able to push today, there is a new >> cookie pattern fetch method which brings a number of "cook_*" ACL keywords. >> It does not have cook_val at the moment, but I can check if that's hard >> to add or not. > > Cook_val sounds great if you happen to add that. How long do snapshots > take to become the stable version, generally? We've had some outages > (nothing to do with haproxy, which works great) and definitely don't > want to put bleeding-edge code into production at the moment. > >> In the mean time, I think that if you manage to rewrite your cookie header >> to replace it with a header holding only the value, it might work, though >> it's dirty and quite tricky. > > This is a great suggestion. Can you confirm that header rewriting > happens before other calls to hdr_val? (Do the commands happen in > order?) (One thing that's great about this is it would also let me > avoid creating a new header. My goal is to write an ACL of the form > [block if cook_value(user_id) % 1000 < 250] but ACLs don't support > much math. But your suggestion would get around this.) > >> Instead, with regex you can actually match integer expressions, it's just >> a bit complicated but doable. For instance, a value below 25 might be >> defined like this (not tested right now but you get the idea) : >> >> COOK=([0-9]|1[0-9]|2[0-4])([^0-9]|$) >> >> I've been doing this for a long time to extract requests by response times >> in logs until I got fed up and wrote halog. > > Yeah. I thought of this too. I know that I could do it but we are > creating a tool to use in emergencies and I think that I'd be > frightened of messing it up in some small but important way. :-) > > Thanks for the help.
Re: ACLs that depend on cookie values
On Tue, May 8, 2012 at 1:24 AM, Willy Tarreau wrote: > Hi Malcolm, > > On Mon, May 07, 2012 at 06:19:36PM -0700, Malcolm Handley wrote: >> I'd like to write an ACL that compares the integer value of a cookie >> with a constant. (My goal is to be able to block percentiles of our >> users if we have more traffic than we can handle, so I want to block a >> request if the cookie's value is, say, less then 25.) >> >> I understand that I can do something like >> hdr_sub(cookie) -i >> but that doesn't let me treat the value as an integer and compare it. >> >> I also know about >> hdr_val() >> but that gives me the entire value of the cookie header, not just the >> value of a particular cookie. >> >> Is there any way that I can do this? > > In the next snapshot I hope to be able to push today, there is a new > cookie pattern fetch method which brings a number of "cook_*" ACL keywords. > It does not have cook_val at the moment, but I can check if that's hard > to add or not. Cook_val sounds great if you happen to add that. How long do snapshots take to become the stable version, generally? We've had some outages (nothing to do with haproxy, which works great) and definitely don't want to put bleeding-edge code into production at the moment. > In the mean time, I think that if you manage to rewrite your cookie header > to replace it with a header holding only the value, it might work, though > it's dirty and quite tricky. This is a great suggestion. Can you confirm that header rewriting happens before other calls to hdr_val? (Do the commands happen in order?) (One thing that's great about this is it would also let me avoid creating a new header. My goal is to write an ACL of the form [block if cook_value(user_id) % 1000 < 250] but ACLs don't support much math. But your suggestion would get around this.) > Instead, with regex you can actually match integer expressions, it's just > a bit complicated but doable. For instance, a value below 25 might be > defined like this (not tested right now but you get the idea) : > > COOK=([0-9]|1[0-9]|2[0-4])([^0-9]|$) > > I've been doing this for a long time to extract requests by response times > in logs until I got fed up and wrote halog. Yeah. I thought of this too. I know that I could do it but we are creating a tool to use in emergencies and I think that I'd be frightened of messing it up in some small but important way. :-) Thanks for the help.
Re: ACLs that depend on cookie values
Hi Malcolm, On Mon, May 07, 2012 at 06:19:36PM -0700, Malcolm Handley wrote: > I'd like to write an ACL that compares the integer value of a cookie > with a constant. (My goal is to be able to block percentiles of our > users if we have more traffic than we can handle, so I want to block a > request if the cookie's value is, say, less then 25.) > > I understand that I can do something like > hdr_sub(cookie) -i > but that doesn't let me treat the value as an integer and compare it. > > I also know about > hdr_val() > but that gives me the entire value of the cookie header, not just the > value of a particular cookie. > > Is there any way that I can do this? In the next snapshot I hope to be able to push today, there is a new cookie pattern fetch method which brings a number of "cook_*" ACL keywords. It does not have cook_val at the moment, but I can check if that's hard to add or not. In the mean time, I think that if you manage to rewrite your cookie header to replace it with a header holding only the value, it might work, though it's dirty and quite tricky. Instead, with regex you can actually match integer expressions, it's just a bit complicated but doable. For instance, a value below 25 might be defined like this (not tested right now but you get the idea) : COOK=([0-9]|1[0-9]|2[0-4])([^0-9]|$) I've been doing this for a long time to extract requests by response times in logs until I got fed up and wrote halog. Willy
ACLs that depend on cookie values
I'd like to write an ACL that compares the integer value of a cookie with a constant. (My goal is to be able to block percentiles of our users if we have more traffic than we can handle, so I want to block a request if the cookie's value is, say, less then 25.) I understand that I can do something like hdr_sub(cookie) -i but that doesn't let me treat the value as an integer and compare it. I also know about hdr_val() but that gives me the entire value of the cookie header, not just the value of a particular cookie. Is there any way that I can do this?