HAProxy Frontend ACL Limitation

arnold.assistant

We have 104 active ACLs and Actions on our frontend. Whenever we want to add a new ACL + Action the following error occurs: "The value '' in field 'Client timeout' is not a number."

Whenever this error occured, some of our configurations for the frontend were reset. (Default Backend, Additional certificates)

We are using haproxy-devel 0.60_5 but have already tested out haproxy 0.60_4 where the same error occured.

As a workaround we tried to add the ACL rule + the action into the Advanced pass thru section like the following:

acl			xyz var(txn.txnhost) -m str -i xyz.companyname.com
http-request redirect location https://test.companyname.com/xyz if xyz

This section is then present inside of the /var/etc/haproxy/haproxy.cfg file content just beneath the frontend, however, the redirect is not working.

Is there any fix or workaround to this problem?

PiBa

@arnold-assistant
I dont see why adding a extra redirect wouldn't work.. if you checkout the haproxy.cfg config generated(bottom of settings tab) i guess its all there as expected.?.

As for the other client-timeout error.. i think the 'POST' that is generated is getting to big.. Ill try and fix that..

arnold.assistant

Sadly it does not work with passing it through the Advanced pass thru field, even though it is present inside of the haproxy.cfg file.

However, it is being added above all the other ACLs, might this be the issue?

frontend www.companyname.com
	bind			<IPv4>:443 name <IPv4>:443   ssl crt-list /var/etc/haproxy/www.companyname.com.crt_list  
	bind			<IPv4>:80 name <IPv4>:80   
	bind			<IPv6>:80 name <IPv6>:80   
	bind			<IPv6>:443 name <IPv6>:443   ssl crt-list /var/etc/haproxy/www.companyname.com.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			xyz var(txn.txnhost) -m str -i xyz.companyname.com
	http-request redirect location https://test.companyname.com/xzy if xyz
	acl			letsencrypt-acl	var(txn.txnpath) -m beg -i /.well-known/acme-challenge/
	acl			is_not_www	var(txn.txnhost) -m str -i companyname.com
	acl			is_staging.companyname.com	var(txn.txnhost) -m str -i staging.companyname.com
	acl			is_go.companyname.com	var(txn.txnhost) -m str -i go.companyname.com
        .
        .
        .
        http-request set-var(txn.txnpath) path
	http-request set-var(txn.txnhost) hdr(host)
	http-request redirect prefix https://www.companyname.com  if  is_not_www 
	http-request redirect location https://test.companyname.com/dirname/staging/  if is_staging.companyname.com   
	http-request redirect location https://test.companyname.com/dirname/go/  if  is_go.companyname.com
        .
        .
        .

All the other redirects do work, only the newly added redirect (inside of the Advanced pass thru field) does not work at all.

Thanks for trying to fix the 'POST' problem.

PiBa

@arnold-assistant said in HAProxy Frontend ACL Limitation:
Perhaps try not using the 'var', i think now that it did not 'set' it yet when the advanced config acl is using it.. http-request rules are processed in the order they appear in the config.. so to avoid that change the acl like this:

acl			xyz hdr(Host) -m str -i xyz.companyname.com
http-request redirect location https://test.companyname.com/xyz if xyz