Re: Matching URLs at layer 7
Hi *, 2010/4/28 Andrew Commons andrew.comm...@bigpond.com: acl xxx_url url_beg -i http://xxx.example.com acl xxx_url url_sub -i xxx.example.com acl xxx_url url_dom -i xxx.example.com The Url is the part of the URI without the host :) A http request looks like GET /index.html HTTP/1.0 Host: www.example.com so you can't use url_beg to match on the host unless you somehow construct your urls to look like http://www.example.com/www.example.com/ but don't do that :) so what you want is something like chaining acl xxx_host hdr(Host) acl xxx_urlbe1 url_begin /toBE1/ use_backend BE1 if xxx_host xxx_urlbe1 ? Cheers Beni.
Re: Matching URLs at layer 7
On Wed, Apr 28, 2010 at 7:51 PM, Andrew Commons andrew.comm...@bigpond.com wrote: Hi Beni, A few things to digest here. What was leading me up this path was a bit of elementary (and probably naïve) white-listing with respect to the contents of the Host header and the URI/L supplied by the user. Tools like Fiddler make request manipulation trivial so filtering out 'obvious' manipulation attempts would be a good idea. With this in mind my thinking (if it can be considered as such) was that: (1) user request is for http://www.example.com/whatever (2) Host header is www.example.com (3) All is good! Pass request on to server. Alternatively: (1) user request is for http://www.example.com/whatever (2) Host header is www.whatever.com (3) All is NOT good! Flick request somewhere harmless. Benedikt has explained this already (see his first reply). There is no such thing. What you see as user request is really sent as host header, + uri. Also to answer another question you raised - the http specification states that header names are case-insensitive. I dont know about haproxy's treatment, though (i'm too lazy to delve into the code right now - and really you can test it out to find out for urself). -jf -- Every nonfree program has a lord, a master -- and if you use the program, he is your master. --Richard Stallman It's so hard to write a graphics driver that open-sourcing it would not help. -- Andrew Fear, Software Product Manager, NVIDIA Corporation http://kerneltrap.org/node/7228
Re: Matching URLs at layer 7
Hi *, (2) Host header is www.example.com (3) All is good! Pass request on to server. (2) Host header is www.whatever.com (3) All is NOT good! Flick request somewhere harmless. If that's all you want, you should be able to go with acl xxx_host hdr(Host) -i xxx.example.com block if !xxx_host , in your listen(, ...) section. But everything comes with a downside: IMHO HTTP/1.0 doesnt require the Host header to be set so you'll be effecitvely lock out all the HTTP/1.0 users unless you make another rule checking for an undefined Host header (and allowing that) (or checking for HTTP/1.0, there should be a macro for that. Just my 2cent Beni.
Re: Matching URLs at layer 7
On Wed, Apr 28, 2010 at 09:21:31PM +0930, Andrew Commons wrote: Hi Beni, A few things to digest here. What was leading me up this path was a bit of elementary (and probably naïve) white-listing with respect to the contents of the Host header and the URI/L supplied by the user. Tools like Fiddler make request manipulation trivial so filtering out 'obvious' manipulation attempts would be a good idea. With this in mind my thinking (if it can be considered as such) was that: (1) user request is for http://www.example.com/whatever (2) Host header is www.example.com (3) All is good! Pass request on to server. Alternatively: (1) user request is for http://www.example.com/whatever (2) Host header is www.whatever.com (3) All is NOT good! Flick request somewhere harmless. I'm not sure whether your solution supports this, and if your interpretation is correct maybe HAProxy doesn't support it either. I'll do some more experimenting and I hope I don't lock myself out ;-) I'm not sure what you're trying to achieve. Requests beginning with http://; are normally for proxy servers, though they're also valid on origin servers. If what you want is to explicitly match any of those, then you must consider that HTTP/1.1 declares a requests with a host field which does not match the one in the URL as invalid. So in practice you could always just use the Host header as the one to perform your switching on, and never use the URL part. You can even decide to block any request beginning with http://;. No browser will send that to you anyway. Regards, Willy
Re: Matching URLs at layer 7
On Wed, Apr 28, 2010 at 06:21:34PM +0930, Andrew Commons wrote: As an aside, should the documentation extract below actually read: acl local_dsthdr(Host) -i localhost ^ ^ i.e. is the name of the header case sensitive? In my attempts to work this out I think that I had to use 'Host' rather than 'host' before it worked. no, a header name is not case-sensitive, and the hdr() directive takes care of that for you. However a header value is case sensitive, and since the host header holds a DNS name, which is not case sensitive, you have to use -i to be sure to match any possible syntax a user might use. Regards, Willy
