Block specific URL in HAProxy / url-encoding

access-control-listhaproxyregexurl

I'm trying to restrict access to a specific URL. It should not allowed to access /admin.php.

frontend example
  acl restricted_page path_beg -i /admin\.php
  http-request deny if restricted_page

This works fine, HAProxy is blocking access to this URL.
But when I enter http://example.org/ad%6Din.php (%6D = hexcode for "m"), HAProxy is not restricting access.

What is the best way to do this?

Is there a option in HAProxy or do I need to specify a regluar expression matching "admin.php" as plaintext and/or url-encoded?
Are there any other ways to bypass the restriction?

Thanks!

Best Answer

As it happens, HAProxy has a converter to decode the field, making sure that your ACL will always match a given string.

url_dec
Takes an url-encoded string provided as input and returns the decoded version as output. The input and the output are of type string.

You'd use it like this.

frontend example
  acl restricted_page path_beg,url_dec -i /admin.php
  http-request deny if restricted_page

Related Solutions

Why Use ‘www’ in a URL? – Understanding the Purpose

One of the reasons why you need www or some other subdomain has to do with a quirk of DNS and the CNAME record.

Suppose for the purposes of this example that you are running a big site and contract out hosting to a CDN (Content Distribution Network) such as Akamai. What you typically do is set up the DNS record for your site as a CNAME to some akamai.com address. This gives the CDN the opportunity to supply an IP address that is close to the browser (in geographic or network terms). If you used an A record on your site, then you would not be able to offer this flexibility.

The quirk of the DNS is that if you have a CNAME record for a host name, you cannot have any other records for that same host. However, your top level domain example.com usually must have an NS and SOA record. Therefore, you cannot also add a CNAME record for example.com.

The use of www.example.com gives you the opportunity to use a CNAME for www that points to your CDN, while leaving the required NS and SOA records on example.com. The example.com record will usually also have an A record to point to a host that will redirect to www.example.com using an HTTP redirect.

HAProxy Specific URI

create a single frontend to 2 backends

frontend webserver
        bind :80
        option forwardfor
        acl bk_slow url_dir /slow_uri/
        use_backend slow-pool if bk_slow
        default_backend default-pool

backend default-pool
        balance ...
        option httpchk ...
        server ...

backend slow-pool
        balance ...
        option httpchk ...
        server ...
        timeout server 600s

~~timeout client 600s~~ is not necessary as it is a backend and haproxy warns about it.

I think url_dir is the best option for this, but you may want to check path_sub/reg or url_sub/reg (http://code.google.com/p/haproxy-docs/wiki/MatchingLayer7)

Best Answer

Related Solutions

Why Use ‘www’ in a URL? – Understanding the Purpose

HAProxy Specific URI

Related Topic