Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to reject requested path without getting to webserver with HaProxy

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    4
    565
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LakeWorthB
      last edited by

      I am using HaProxy, and I would like to reject a requested path, but not have any request go to webserver. It seems that the path options ads a http-request test, which ends up going to the server at least for a hit, even when returning an error. If I try adding a tcp-request deny rule, I get this error: "a 'tcp-request' rule placed after an 'http-request' rule will still be processed before." because the http-request rule is used to get the path. What is the best way to do this?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What do you want to be sent back to the web client?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        L 1 Reply Last reply Reply Quote 0
        • L
          LakeWorthB @Derelict
          last edited by

          @Derelict either no response, or 403.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            So match the URL and use http-request deny in the frontend.

            https://www.haproxy.com/blog/introduction-to-haproxy-acls/

            Screen Shot 2020-09-20 at 11.09.44 AM.png

            Screen Shot 2020-09-20 at 11.09.52 AM.png

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.