Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAproxy custom ACL results in 503 error.

    Scheduled Pinned Locked Moved Cache/Proxy
    10 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wontbeherelong
      last edited by

      I created a custom ACL named ACL12 to check for the presence of a cookie with:

      req.cook_cnt(organizrLanguage) gt 0
      

      The cookie is present when checking in developer tools in the browser. Generated HAproxy config shows:

      acl			ACL12	var(txn.txnhost) -m beg -i req.cook_cnt(organizrLanguage) gt 0
      use_backend Fileshare_ipv4  if   ACL12
      

      Anyone done something similar? Where am I going wrong?

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @wontbeherelong
        last edited by

        @wontbeherelong
        Looks to me like you chose "host begins with" instead of "custom acl" ?

        1 Reply Last reply Reply Quote 0
        • W
          wontbeherelong
          last edited by wontbeherelong

          @PiBa

          I did have another ACL with 'host begins' for that front end. I thought that ACL's with different names were combined as 'and' and not 'or' statements. I'm now very confused, because I removed that ACL and tried using only:

          req.cook_cnt(mycookiename) -m found
          

          At this point, I get no 503 and can access the page. BUT, if I clear all cookies and go straight to the subdomain without the cookie being present, I can also access the page. Here's a screenshot of my frontend ACl:
          Screenshot from 2019-06-01 14-47-53.png

          How is this connecting without ACL12 being satisfied as there is no cookie? My frontend settings clearly show 'Backend Fileshare if(ACL12)?

          P 1 Reply Last reply Reply Quote 0
          • P
            PiBa @wontbeherelong
            last edited by

            @wontbeherelong
            To combine 2 acls with different names you do need to put both the names as acl's behind the action. They would indeed combine as 'AND' then. Unless specifically written with a "||" OR between the names.

            Can you share the complete haproxy.cfg ? The acl above looks like it should check for existence of the cookie. But i wonder if perhaps there are other acl's or other frontends or default backend that might point to the same server. Also are you sure the cookie isn't already returning automatically by only visiting a login page perhaps?

            1 Reply Last reply Reply Quote 0
            • W
              wontbeherelong
              last edited by

              @PiBa
              Attaching my config (minus a few unnecessary ssl params etc). Unfortunately, I can't post it directly as it was flagged as spam and I also can't send a P.M.
              haproxy.txt

              P 1 Reply Last reply Reply Quote 0
              • P
                PiBa @wontbeherelong
                last edited by

                @wontbeherelong
                There seems no way around ACL12 to make it to the FileServer backend.

                I wonder now if '-m found' is the proper action for a fetch that returns the number of matches, probably it should be 'gt 0' instead like you had before.?

                1 Reply Last reply Reply Quote 0
                • W
                  wontbeherelong
                  last edited by wontbeherelong

                  @PiBa
                  gt 0 gets me back to 503. Cookie name is copied from chromium developer tools and matches what I find in firefox. So, either i use -m found and anyone can access the subdomain, or gt 0 gives me 503. I have no idea where to go from here. Any idea what is happening? If -m found directs me is the cookie valid? But in which case, why is it accessible using a sub.domain without an ACL present?

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    PiBa @wontbeherelong
                    last edited by

                    @wontbeherelong
                    The 'req.cook_cnt(' takes the NAME of a cookie to search for, not its value.

                    So try with only the part before the = and see if that creates a positive match. b.t.w. i verified that this does work for me with regard to the acl actually matching with the 'gt 0' value, and a manually inserted cookie:

                    acl			ACL12	req.cook_cnt(organizr_token_b112adac-dbcb-41c1-9ed6-e8eb190763f2) gt 0
                    http-request set-header ACL12cookieFound YES12 if ACL12
                    
                    1 Reply Last reply Reply Quote 0
                    • W
                      wontbeherelong
                      last edited by

                      Thank you so much, I really appreciate you helping me out on this one - it needed a fresh set of eyes! The cookie length was so long that I hadn't noticed the = sign, so like you said I was using the value in addition to the name. Using my original gt 0 with the proper cookie name does indeed work, and it's behaving exactly as I'd hoped. Fantastic!

                      1 Reply Last reply Reply Quote 0
                      • zecoraZ
                        zecora
                        last edited by

                        I know this is an older post/thread, but I am running into the issue with HAProxy and Organizr not getting along. I am new to HAProxy and not really sure how to implement the fix here. Would anyone be willing to explain it to me in detail?

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.