HAProxy: Adding a Path in Backend Config

Gamienator 0 · Jun 12, 2024, 1:20 PM

Hey everyone,

I hope you're able to help me out. Behind a Reverseproxy I'm running Uptime-Kuma. The neat part of this is, that you can setup public status pages. What I want is, that the Adminpage should be reachable at
admin.status.test.com and the public page at: status.test.com. Reason for this is, that I'm able to put another ACL an admin.status.test.com so I'm able to restrict SourceIP Access.

Now my Question: How am I able to configre the backend? While the admin page is reachable at http://172.16.10.4:3001 the public page is reachable at http://172.16.10.4:3001/status/all So Same IP and Port. Adding /status/all to the address field in the backend results into an error.

Thanks for your help!

viragomann · Jun 12, 2024, 6:20 PM

@Gamienator-0 said in HAProxy: Adding a Path in Backend Config:

Reason for this is, that I'm able to put another ACL an admin.status.test.com so I'm able to restrict SourceIP Access.

You can as well restrict access based on missing the path "/status/all" with an negated "path starts with" ACL if this is your only one aim here.

Gamienator 0 · Jun 12, 2024, 7:35 PM

@viragomann

Oh no, I really want to have separate Subdomains to push to other admins just that without an path

viragomann · Jun 12, 2024, 8:34 PM

@Gamienator-0
I suspected this, but you weren't clear. You can insert the needed path with an "http-request set-path" action.

You might already have created an "Host matches" admin.status.test.com ACL to restrict access to the admin page. I call it "kuma_adm" here.

So then to insert the path, add an action "http-request set-path" and enter "/status/all/%[path]" below. At Condition acl enter "!kuma_adm", which negates the ACL.

Basically this should be doable either in the frontend or in the backend. If in the frontend, ensure to put this rule above of the "use backend" rules.

Gamienator 0 · Jun 12, 2024, 8:47 PM

@viragomann

Thanks for the advise!

What do I need to do when I want to set it in the Backend? Year create an action but I‘m confused what the ACL should be.

This HA Proxy serves multiple services which are separated by subdomains. So yes, I have some match host ACL in the frontend. So if I would use the negate way in your example it would be applied to the other services as well

viragomann · Jun 12, 2024, 8:54 PM

@Gamienator-0
You can create the same ACL for "Host matches" admin.status.test.com in the backend and use it in the rule.

Gamienator 0 · Jun 12, 2024, 9:01 PM

@viragomann

Thanks! I‘ll set it up tomorrow and report