I am using Haproxy 1.5.3 setup with ssl on the frontend and also sending ssl to the backend servers. the mode is http and using acls to determine stickyness.
My test requests are as follows:
- wget https: //domain.com/ping?IPT=transpor6t&FROM_ADDRESS=409
- wget https: //domain.com/ping?FROM_ADDRESS=409&IPT=transport6
- the real url will have 5 different parameters and the FROM_ADDRESS will be the 3rd Parameter.
I need to create sticky requests on this 3rd Parameter and there seems to be many ways to do this using Haproxy and even though using regex is expensive it provides us the most flexibility, so that is what we chose (in this example we moved away from regex to simplify the problem and decided just to look at the last character of the parameter, so to make sure the regex is not the problem.
Our ACL setup (more of a test bed to see if we can get it to work)
acl block_1 urlp_end(FROM_ADDRESS) 0
acl block_2 urlp_end(FROM_ADDRESS) 9
use_backend block_1_hosts if block_1
use_backend block_2_hosts if block_2
backend block_1_hosts
option httpchk GET /ping
server s1 s1.domain.com:443 weight 1 maxconn 2000 check ssl verify none inter 2000
server s2 s2.domain.com:443 weight 1 maxconn 2000 check ssl verify none inter 2000 backup
backend block_2_hosts
option httpchk GET /ping
server s1 s1.domain.com:443 weight 1 maxconn 2000 check ssl verify none inter 2000 backup
server s2 s2.domain.com:443 weight 1 maxconn 2000 check ssl verify none inter 2000
With the testing we have done we believe that only the first parameter it finds in the URL can be matched (it does not search the rest of the parameters). This may be a bug or maybe by design (the docs seem a little ambiguous around urlp at least to us) but it would make sense that you should be able to match all parameter in the URL.
**Test1 - FROM_ADDRESS in the second parameter position fails**
wget https://domain.com/ping?IPT=transpor6t&FROM_ADDRESS=409
haproxy logs:
5.35.250.77:41464 [22/Aug/2014:14:20:49.783] https-in~ https-in/<NOSRV> -1/-1/-1/-1/12 503 212 - - SC-- 0/0/0/0/0 0/0 "GET /ping?IPT=transpor6t HTTP/1.0"
**Test2 - FROM_ADDRESS in the first parameter position passes**
wget https://domain.com/ping?FROM_ADDRESS=409&IPT=transport6
haproxy logs:
5.35.250.77:41465 [22/Aug/2014:14:21:33.763] https-in~ block_2_hosts/rs6 12/0/2/2/16 200 229 - - ---- 0/0/0/0/0 0/0 "GET /ping?FROM_ADDRESS=409 HTTP/1.0"
Shouldn't they both pass with this ACL? Any thoughts?
Many thanks,
Andre
Best Answer
Haven't tested this yet, but try specifying the delimiter: