How to match a wildcard host in ACL lists in HAproxy

access-control-listhaproxyregex

I have the following lines in my haproxy.conf:

acl valid_domains hdr(Host) -i mysite.com images.mysite.com docs.mysite.com admin.mysite.com
redirect location http://mysite.com/invalid_domain if !valid_domains

How do I match any subdomain?

I tried:

acl valid_domains hdr(Host) -i *.mysite.com

and:

acl valid_domains hdr(Host) -i [a-z]+.mysite.com

… But neither worked.

Thanks

Best Answer

I feel that hdr_sub is better for your needs. I was using hdr_end for a while but it runs into the following problem:

requests with port 80 usually get the port stripped so the host header looks like "example.com", but if you were requesting on a port explicitly, like example.com:8080, the header will have the port, and hdr_end will fail the check for "example.com".

hdr_sub will do a substring match, which seems like a better fit for you (and me).

Either solution still has a nasty thing I don't like. Order dependent evaluation of the results.

e.g (my conditions look like this on the frontend)

acl is_dbadmin hdr_sub(host) -i dbadmin.example.com

Requesting on port 8080 would be like this:

Jul  9 02:48:40 localhost haproxy[8]: 192.168.1.1:55870 [09/Jul/2015:02:48:40.865] http-in example/s1 1/0/0/20/110 200 330722 - - ---- 0/0/0/0/0 0/0 {**example.com:8080**||http://example.com:} {Apache/2.4.10 (Debia||||} "GET /wp-includes/js/zxcvbn.min.js HTTP/1.1"

where as port 80 could likely be like this

Jul  9 02:48:40 localhost haproxy[8]: 192.168.1.1:55870 [09/Jul/2015:02:48:40.865] http-in example/s1 1/0/0/20/110 200 330722 - - ---- 0/0/0/0/0 0/0 {example.com||***http://example.com***:} {Apache/2.4.10 (Debia||||} "GET /wp-includes/js/zxcvbn.min.js HTTP/1.1"

Related Solutions

Cisco Route-Map Multiple ACL Match (Logical AND)

Easiest way in my opinion is to setup an access-list with all the matches you need and put that in the route-map.

EDIT

Disclaimer: I'm just guessing here.

You can try this, assuming access-list 100 for sources and access-list 110 for destinations:

Here you revert the logic of the access-lists:

access-list 100 deny ip 10.0.0.0 255.255.255.0 any
access-list 100 permit any

access-list 110 deny ip any 192.168.0.0 255.255.255.0
access-list 110 permit any

and then use deny on your route-map (so if the access-list permits, then the rule fails):

route-map TEST deny 10
   match ip address 100
route-map TEST deny 20
   match ip address 110
route-map TEST permit 30
   set vrf TESTVRF

The logic behind this is:

if source_address is not 10.0.0.0/24 {
    fail
} else {
    if destination_address is not 192.168.0.0/24 {
        fail
    } else {
        set vrf TESTVRF
    }
}

Basically it checks first if source is permitted (via access-list 100), if permitted then it checks if destination is permitted (access-list 101), at last if BOTH are permitted set the vrf.

Then you can easily permit N different source networks in access-list 100 and M different destination networks in access-list 101.

TCP Proxy – Proxying TCP by Hostname

As an alternative to proxying (where it depends on the application protocol if it's possible to do based on hostnames) you may want to check if the client software is SRV aware, in which case you should be able to set this up in DNS alone.

An SRV record has the following format:

_Service._Proto.Name TTL Class SRV Priority Weight Port Target

In your specific example where you mentioned multiple instances of Minecraft it should be possible to do this based on SRV records and the records could look something like this:

_minecraft._tcp.foo.example.com. 86400 IN SRV 0 5 25565 server1.example.com.
_minecraft._tcp.bar.example.com. 86400 IN SRV 0 5 25566 server1.example.com.

Best Answer

Related Solutions

Cisco Route-Map Multiple ACL Match (Logical AND)

TCP Proxy – Proxying TCP by Hostname

Related Topic