HAPROXY Access Control Lists (ACLs)

Posted 2021-05-01 China中间件

HAProxy is ahigh-performance TCP/HTTP reverse proxy load-balancing server with thefollowing features:

 

• Complete HTTP request     forwarding based on statically assigned cookies

 

• Load balancing across     multiple servers and session stickiness based on HTTP cookies

 

• Master server switching

 

• Accept access to specific     ports for service monitoring

 

• Smooth shutdown service     without interrupting request response seeking established connection, and     rejecting new requests

 

• Add, modify, or delete the     first message in a request or response HTTP message

 

• Block requests according to     regular rules

 

• Provide a service status     reporting page with a user authentication mechanism

In the actual work of HAProxy, for security reasons, it is oftennecessary to configure security rules, which are implemented through ACLs inhaProxy.

The purpose in usingAccess Control Lists (ACL) is to provide a flexible solution to make decisionsbased on content extracted from the request, the response, or any environmentalstatus.

Its principle is thefollowing:

• Extract a data sample from a     stream, table, or the environment

• Apply optionally some format     conversion to the extracted sample

• Apply one or multiple pattern     matching methods on this sample

ACL Syntax ACLs are defined usingthe keyword acl.The syntax is:

acl <aclname><criterion>[,<converter>] [flags] [operator] [<pattern>] ...

ACLs require the followingparameters:

Parameter	Description
<aclname>	Name of the ACL to describe it as much as possible. It must have upper and lower case  letters, digits, - (dash), _ (underscore) , . (dot) and : (colon). It is case sensitive; hence my_acl and My_Acl are two  different ACLs.
<criterion>	Based  on sample fetches, it describes the portion of the request or response where  this ACL applies.
[<converter>]	One or several <converter> can be specified, separated by a  comma ,. They can be used to manipulate the  data provided by the <criterion>
[flags] (optional)	Completes the <criterion> to make it more accurate on  where and how to apply the ACL.
[operator] (optional)	It is possible to apply an <operator> when matching the data provided  by the <criterion> against <pattern>.
[<pattern>] (optional)	Data provided by <criterion> is compared to a<pattern>  list. It is as the same type as the data  provided by the <criterion> or the result of the latest <converter>. Matching results will define the result of the whole  ACL.

An ACL can return two values:

Value	Description
TRUE	when the data from <criterion> matches at least one of the  <pattern>
FALSE	when the data from <criterion> does not match any of the  <pattern>

 ACL Examples

To detect quickly the presence of a cookie JSESSIONID in an HTTPrequest:

acl jsess_present req.cook(JSESSIONID) -m found

Apply a regular expression over the first 500 bytes of data inthe request buffer:

acl script_tag req.payload(0,500) -m reg -i<script>

Apply both case-sensitive and non-case-sensitve matches, usingthe 'i flag:

acl valid-ua hdr(user-agent) -f exact-ua.lst -i -fgeneric-ua.lst test

The following happens:

• each line     of exact-ua.lst is matched exactly against the     user-agent header of the request.

• each line     of generic-ua.lst is matched without case-sensitivity.

• the word test is also matched     without case-sensitivity.

Match any negative Content-Length header:

acl negative-length hdr_val(content-length) lt 0

Match any SSL version between 3.0 and 3.1 (inclusive):

acl sslv3 req_ssl_ver 3:3.1

Look for the string -i in the User-Agent header:

acl hdr_sub -- -i

Match the string Hello at the beginning of the input stream(Hexa values: x48 x65 x6c x6c x6f x0a):

acl hello payload(0,6) -m bin 48656c6c6f0a

Convert the X-Forwarded-For header into IP addresses and matchfor private IPs:

acl req.fhdr(X-Forwarded-For) -m ip 10.0.0.0/8172.16.0.0/12 192.168.0.0/16

Match static content either in the Host header or in the URLpath:

acl static hdr_dom(Host) -i static.domain.comassets.domain.com
acl static path_beg -i /static/ /images/ /css/

 

This isan example for control web access which useful to control the static resource:

vim /etc/haproxy/haproxy.cfg 

①this is configuration for web monitoring
listen stats
bind 0.0.0.0:1080
stats enable
stats hide-version
stats uri /haproxyadmin
stats auth along:along
stats admin if TRUE

②config ACL in frontend
frontend web
        bind :80
        acl staticfile path_end .jpg .png.bmp .htm .html .css .js
        acl appfile path_end.php
        use_backend staticsrvs ifstaticfile
        default_backend appsrvs

③config backend clustergroup

backendstaticsrvs
        balance roundrobin
        server staticweb192.168.30.107:80 check inter 3000 rise 3 fall 3

backendappsrvs
        balance roundrobin
        server appweb 192.168.30.7:80check inter 3000 rise 3 fall 3