HAProxy : ACL Settings

It's possible to distribute requests to backend servers according to rules to set HAProxy ACL. This example is based on the environment like follows. It needs you set DNS to receive requests of hostnames or domainnames you set ACL on HAProxy server. -----------+-------------+ | | |10.0.0.30 | +----------+-----------+ | | [ dlp.srv.world ] | | | HAProxy | | +----------------------+ | | -------------+-----------+--------------+---------- | | | |10.0.0.51 | |10.0.0.52 +-----------+----------+ | +-----------+----------+ | [ node01.srv.world ] | | | [ node02.srv.world ] | | Web Server#1 | | | Web Server#2 | +----------------------+ | +----------------------+ | -------------+-----------+--------------+---------- | | |10.0.0.53 |10.0.0.31 +-----------+----------+ +-----------+----------+ | [ node03.srv.world ] | | [ www.srv.world ] | | Web Server#3 | | Web Server#4 | +----------------------+ +----------------------+

[1]

The syntax of ACL is like follows. acl <aclname> <criterion> [flags] [operator] [<value>] ... For <aclname>, specify any ACL name you like, for [operator], some criteria support an operator. For others, see official documents below. ⇒ https://www.haproxy.com/documentation/hapee/latest/onepage/#7.3.6 Follows are the list of criteria and flags that are expected to be often used. criterion description path extracts the request's URL path query extracts the request's query string hdr returns the last comma-separated value of the header in an HTTP request src the source IP address of the client of the session possible to use on L4 mode dst_port the destination TCP port possible to use on L4 mode only flags description -i ignore case -f load patterns from a file -m specify pattern matching method refer to the right table for methods -n forbid the DNS resolutions -u force the unique ID of the ACL method description bool check the value as a boolean beg match the value that begins with the provided patterns end match the value that ends with the provided patterns int match the value as an integer ip match the value as IP addresses len match the value as provided length reg match the value with regular expressions str check the value as a string sub match the value that contains the provided patterns

[2]	Configure HAProxy.

[root@dlp ~]#  vi /etc/haproxy/haproxy.cfg # add to the end frontend http-in bind *:80 option forwardfor # set ACL # [Host] in HTTP request header is [node01.srv.world] acl host_node01 hdr(Host) -i node01.srv.world # [Host] in HTTP request header begins with [node02] acl host_node02 hdr_beg(Host) -i node02 # [Host] in HTTP request header contains [develop] acl host_node03 hdr_sub(Host) -i develop # domain name of [Host] in HTTP request header is [virtual.host] acl host_virtual_host hdr_dom(Host) -i virtual.host # PATH in HTTP request begins with [/work] acl path_workdir path -m beg /work # PATH in HTTP request contains [test] acl path_testdir path_sub -i test # query in HTTP request contains [script] acl query_script query -m sub script # source client IP address is [10.0.0.5/32] acl src_ip src -m ip 10.0.0.5/32 # set action for each ACL use_backend www_node01 if host_node01 || path_workdir use_backend www_node02 if host_node02 || path_testdir use_backend www_node03 if host_node03 || query_script use_backend www_default if host_virtual_host || src_ip default_backend www_default backend www_node01 server node01 10.0.0.51:80 check backend www_node02 server node02 10.0.0.52:80 check backend www_node03 server node03 10.0.0.53:80 check backend www_default server www_default 10.0.0.31:80 check [root@dlp ~]#  systemctl restart haproxy

[3]	Verify working normally to access to the frontend HAproxy Server with each matching pattern.