HAProxy – Regular Expression to Restrict URL

haproxyregex

I had successfully restricted an URL in my web app to certain trusted IP, using below-mentioned config in haproxy config

acl trusted-ip src -f /etc/haproxy/whitelist.lst    
acl protected-page url /abc /abc/    
acl allowed-page url /abc/api/
http-request deny if protected-page !allowed-page !trusted-ip

I want all users to access "/abc/api" URL, while "/abc" will be accessible only to Trusted IP.
The problem here is if anyone from non-trusted IP enters "/abc?something" the URL "/abc" opens, in order to avoid this, I modified the config to

acl trusted-ip src -f /etc/haproxy/whitelist.lst
acl protected-page url_reg ^(?!\/abc\/api).*$
http-request deny if protected-page !trusted-ip

Now I was able to solve the above-mentioned problem, but the "/abc/api" is not accessible to anyone. Any help will be appreciated.

Best Answer

Use path instead of url

This extracts the request's URL path, which starts at the first slash and ends before the question mark (without the host part). A typical use is with prefetch-capable caches, and with portals which need to aggregate multiple information from databases and keep them in caches. Note that with outgoing caches, it would be wiser to use "url" instead. With ACLs, it's typically used to match exact file names (eg: "/login.php"), or directory parts using the derivative forms. See also the "url" and "base" fetch methods.
ACL derivatives :
  path     : exact string match
  path_beg : prefix match
  path_dir : subdir match
  path_dom : domain match
  path_end : suffix match
  path_len : length match
  path_reg : regex match
  path_sub : substring match

Related Solutions

How to configure Haproxy to choose a backend based on content in the HTTP request body (not headers)

It doesn't look like this is possible judging from the "Matching Layer 7" section of the configuration documentation. You might be able to pull it off with the payload feature but I have never tried this and it sounds like it was designed for session stickyness:

payload(offset,length) This extracts a binary block of bytes, and starting at bytes in the buffer of request or response (request on "stick on" or "stick match" or response in on "stick store response").

That being said this seems like a strange thing to do to me. Having to pull data out of the payload seems like it would be processor intensive. This also seems like a nonstandard way to do this to me. If that is true, even if haproxy can do you might end up making haproxy a dependency of your application (Although I am a big fan of HAProxy, that is never a good idea). You can pull values out of the URL requests, the header, and cookies easily. So we might be able to help you more if you explain why you are looking at this solution.

Haproxy ACL for balance on URL request

I don't know if it is an actual issue, but you don't need to escape slashes in HAProxy's regexes. Also, in your stated case, you don't even need regexes but can use simple string matchers. They are magnitudes faster than regexes. So your ACLs could look like this:

acl msg-url-3 url_beg /path/mail/
acl msg-url-4 url_beg /path/wazap/

If no server is available in a dispatched backend, HAProxy will return an HTTP 503 response. You can use errorloc or errorfile to customize the response.

But it could be that I slightly misunderstood your issue. It's not very clear what exactly is not working as expected.

Best Answer

Related Solutions

How to configure Haproxy to choose a backend based on content in the HTTP request body (not headers)

Haproxy ACL for balance on URL request

Related Topic