Re: Compare against variable string in ACL
Holger, On 08.05.2017 11:37, Holger Just wrote: > We use basically this configuration snippet in production for quite some > years now and it works great. > while not exactly pretty, it definitely works fine. Thank you. Best regards Tim Düsterhus
Re: Compare against variable string in ACL
Hi Tim.
Tim Düsterhus wrote:
> I basically want an ACL that matches if 'hdr(host) == ssl_fc_sni' to use
> programming language terminology.
This is not directly possible right now using haproxy ACLs since they
are only ablle to to compare a dynamic value (the fetch) to a static
value. There is however a "trick" to still pull this off without having
to dive into Lua.
# We concatenate the HTTP Header and the SNI field in an internal header
# and check if the same value is repeated in that header.
http-request set-header X-CHECKSNI %[req.hdr(host)]==%[ssl_fc_sni] if {
ssl_fc_has_sni }
# This needs to be a named capture because of "reasons".
# Back-References to normal captures seem to be rejected by HAProxy
http-request deny if { ssl_fc_has_sni } ! { hdr(X-CHECKSNI) -m reg -i
^(?.+)==\1$ }
# Cleanup after us
http-request del-header X-CHECKSNI
We use basically this configuration snippet in production for quite some
years now and it works great.
Cheers,
Holger
Compare against variable string in ACL
Hi I want to make sure that the SNI hostname and the hostname provided in the 'Host' header of HTTP match, in order to avoid virtual host confusion within my backends. Is it possible to create such an ACL? I already tried someone like this: http-request set-var(txn.rheader) hdr(host) acl matching var(txn.rheader) -i %[ssl_fc_sni] But it seems that '%[ssl_fc_sni]' is interpreted as a literal string here, instead of the provided SNI value. I basically want an ACL that matches if 'hdr(host) == ssl_fc_sni' to use programming language terminology. Best regards Tim Düsterhus
