HAproxy custom ACL results in 503 error.

  • I created a custom ACL named ACL12 to check for the presence of a cookie with:

    req.cook_cnt(organizrLanguage) gt 0

    The cookie is present when checking in developer tools in the browser. Generated HAproxy config shows:

    acl			ACL12	var(txn.txnhost) -m beg -i req.cook_cnt(organizrLanguage) gt 0
    use_backend Fileshare_ipv4  if   ACL12

    Anyone done something similar? Where am I going wrong?

  • @wontbeherelong
    Looks to me like you chose "host begins with" instead of "custom acl" ?

  • @PiBa

    I did have another ACL with 'host begins' for that front end. I thought that ACL's with different names were combined as 'and' and not 'or' statements. I'm now very confused, because I removed that ACL and tried using only:

    req.cook_cnt(mycookiename) -m found

    At this point, I get no 503 and can access the page. BUT, if I clear all cookies and go straight to the subdomain without the cookie being present, I can also access the page. Here's a screenshot of my frontend ACl:
    Screenshot from 2019-06-01 14-47-53.png

    How is this connecting without ACL12 being satisfied as there is no cookie? My frontend settings clearly show 'Backend Fileshare if(ACL12)?

  • @wontbeherelong
    To combine 2 acls with different names you do need to put both the names as acl's behind the action. They would indeed combine as 'AND' then. Unless specifically written with a "||" OR between the names.

    Can you share the complete haproxy.cfg ? The acl above looks like it should check for existence of the cookie. But i wonder if perhaps there are other acl's or other frontends or default backend that might point to the same server. Also are you sure the cookie isn't already returning automatically by only visiting a login page perhaps?

  • @PiBa
    Attaching my config (minus a few unnecessary ssl params etc). Unfortunately, I can't post it directly as it was flagged as spam and I also can't send a P.M.

  • @wontbeherelong
    There seems no way around ACL12 to make it to the FileServer backend.

    I wonder now if '-m found' is the proper action for a fetch that returns the number of matches, probably it should be 'gt 0' instead like you had before.?

  • @PiBa
    gt 0 gets me back to 503. Cookie name is copied from chromium developer tools and matches what I find in firefox. So, either i use -m found and anyone can access the subdomain, or gt 0 gives me 503. I have no idea where to go from here. Any idea what is happening? If -m found directs me is the cookie valid? But in which case, why is it accessible using a sub.domain without an ACL present?

  • @wontbeherelong
    The 'req.cook_cnt(' takes the NAME of a cookie to search for, not its value.

    So try with only the part before the = and see if that creates a positive match. b.t.w. i verified that this does work for me with regard to the acl actually matching with the 'gt 0' value, and a manually inserted cookie:

    acl			ACL12	req.cook_cnt(organizr_token_b112adac-dbcb-41c1-9ed6-e8eb190763f2) gt 0
    http-request set-header ACL12cookieFound YES12 if ACL12

  • Thank you so much, I really appreciate you helping me out on this one - it needed a fresh set of eyes! The cookie length was so long that I hadn't noticed the = sign, so like you said I was using the value in addition to the name. Using my original gt 0 with the proper cookie name does indeed work, and it's behaving exactly as I'd hoped. Fantastic!

Log in to reply