Re: Global ACLs
On 02/02/2015 05:31 μμ, Willy Tarreau wrote: Hi Christian, [...snip...] We've been considering this for a while now without any elegant solution. Recently while discussing with Emeric we got an idea to implement scopes, and along these lines I think we could instead try to inherit ACLs from other frontends/backends/defaults sections. Currently defaults sections support having a name, though this name is not internally used, admins often put some notes there such as tcp or a customer's id. Here we could have something like this : defaults foo acl local src 127.0.0.1 frontend bar acl client src 192.168.0.0/24 use_backend c1 if client use_backend c2 if foo/local It would also bring the extra benefit of allowing complex shared configs to use their own global ACLs regardless of what is being used in other sections. That's just an idea, of course. That sounds awesome, please bring in on :-) Cheers, Pavlos signature.asc Description: OpenPGP digital signature
Re: Global ACLs
Hi Willy, On 2015-02-02 17:31, Willy Tarreau wrote: Hi Christian, On Mon, Feb 02, 2015 at 04:55:56PM +0100, Christian Ruppert wrote: Hey, are there some kind of global ACLs perhaps? I think that could be really useful. In my case I have ~70 frontends and ~100 backends. I often use the same ACLs on multiple frontends/backends for specific whitelisting etc. It would be extremely helpful to specify some of those ACLs in the global scope and use it where needed without having to re-define it again and again. Technically that shouldn't be much different from what it does in the local scope, shouldn't it? So I guess the ACL is prepare once on startup, it shouldn't matter where that is done. Using it so actually evaluating it is always (as before) done in the local scope, depending on the actual Layer etc. So adding support for global ACLs should be easy and helpful, or am I wrong? Did I forgot something important here? Example: global acl foo src 192.168.1.1 acl foobar hdr_ip(X-Forwarded-For,-1) 192.168.1.2 # This *might* be a special case... Not yet further verified. frontend example use_backend ... if foo use_backend ... if foobar We've been considering this for a while now without any elegant solution. Recently while discussing with Emeric we got an idea to implement scopes, and along these lines I think we could instead try to inherit ACLs from other frontends/backends/defaults sections. Currently defaults sections support having a name, though this name is not internally used, admins often put some notes there such as tcp or a customer's id. That would be perfect, even better than just global. One could use the same ACL names but in different scopes, i.e. different layer. Here we could have something like this : defaults foo acl local src 127.0.0.1 frontend bar acl client src 192.168.0.0/24 use_backend c1 if client use_backend c2 if foo/local It would also bring the extra benefit of allowing complex shared configs to use their own global ACLs regardless of what is being used in other sections. That's just an idea, of course. Yeah, that sounds pretty decent to me. Regards, Willy -- Regards, Christian Ruppert
Re: Global ACLs
Hi Christian, On Mon, Feb 02, 2015 at 04:55:56PM +0100, Christian Ruppert wrote: Hey, are there some kind of global ACLs perhaps? I think that could be really useful. In my case I have ~70 frontends and ~100 backends. I often use the same ACLs on multiple frontends/backends for specific whitelisting etc. It would be extremely helpful to specify some of those ACLs in the global scope and use it where needed without having to re-define it again and again. Technically that shouldn't be much different from what it does in the local scope, shouldn't it? So I guess the ACL is prepare once on startup, it shouldn't matter where that is done. Using it so actually evaluating it is always (as before) done in the local scope, depending on the actual Layer etc. So adding support for global ACLs should be easy and helpful, or am I wrong? Did I forgot something important here? Example: global acl foo src 192.168.1.1 acl foobar hdr_ip(X-Forwarded-For,-1) 192.168.1.2 # This *might* be a special case... Not yet further verified. frontend example use_backend ... if foo use_backend ... if foobar We've been considering this for a while now without any elegant solution. Recently while discussing with Emeric we got an idea to implement scopes, and along these lines I think we could instead try to inherit ACLs from other frontends/backends/defaults sections. Currently defaults sections support having a name, though this name is not internally used, admins often put some notes there such as tcp or a customer's id. Here we could have something like this : defaults foo acl local src 127.0.0.1 frontend bar acl client src 192.168.0.0/24 use_backend c1 if client use_backend c2 if foo/local It would also bring the extra benefit of allowing complex shared configs to use their own global ACLs regardless of what is being used in other sections. That's just an idea, of course. Regards, Willy
Global ACLs
Hey, are there some kind of global ACLs perhaps? I think that could be really useful. In my case I have ~70 frontends and ~100 backends. I often use the same ACLs on multiple frontends/backends for specific whitelisting etc. It would be extremely helpful to specify some of those ACLs in the global scope and use it where needed without having to re-define it again and again. Technically that shouldn't be much different from what it does in the local scope, shouldn't it? So I guess the ACL is prepare once on startup, it shouldn't matter where that is done. Using it so actually evaluating it is always (as before) done in the local scope, depending on the actual Layer etc. So adding support for global ACLs should be easy and helpful, or am I wrong? Did I forgot something important here? Example: global acl foo src 192.168.1.1 acl foobar hdr_ip(X-Forwarded-For,-1) 192.168.1.2 # This *might* be a special case... Not yet further verified. frontend example use_backend ... if foo use_backend ... if foobar -- Regards, Christian Ruppert
Re: Global ACLs
That sounds pretty cool. I would love to only have to define my ACLs in one place. wt On Mon, Feb 2, 2015 at 8:31 AM, Willy Tarreau w...@1wt.eu wrote: Hi Christian, On Mon, Feb 02, 2015 at 04:55:56PM +0100, Christian Ruppert wrote: Hey, are there some kind of global ACLs perhaps? I think that could be really useful. In my case I have ~70 frontends and ~100 backends. I often use the same ACLs on multiple frontends/backends for specific whitelisting etc. It would be extremely helpful to specify some of those ACLs in the global scope and use it where needed without having to re-define it again and again. Technically that shouldn't be much different from what it does in the local scope, shouldn't it? So I guess the ACL is prepare once on startup, it shouldn't matter where that is done. Using it so actually evaluating it is always (as before) done in the local scope, depending on the actual Layer etc. So adding support for global ACLs should be easy and helpful, or am I wrong? Did I forgot something important here? Example: global acl foo src 192.168.1.1 acl foobar hdr_ip(X-Forwarded-For,-1) 192.168.1.2 # This *might* be a special case... Not yet further verified. frontend example use_backend ... if foo use_backend ... if foobar We've been considering this for a while now without any elegant solution. Recently while discussing with Emeric we got an idea to implement scopes, and along these lines I think we could instead try to inherit ACLs from other frontends/backends/defaults sections. Currently defaults sections support having a name, though this name is not internally used, admins often put some notes there such as tcp or a customer's id. Here we could have something like this : defaults foo acl local src 127.0.0.1 frontend bar acl client src 192.168.0.0/24 use_backend c1 if client use_backend c2 if foo/local It would also bring the extra benefit of allowing complex shared configs to use their own global ACLs regardless of what is being used in other sections. That's just an idea, of course. Regards, Willy -- Warren Turkal